10341000x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.417{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.413{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.413{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.413{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.412{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.405{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.405{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.406{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.313{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C37418A02722545CADDD949CE9A40,SHA256=42800CC6EF1CD1156B12D30F7E143B37D4E8F70DFAA69ABCF798EDF28D2F23E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.981{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.979{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.979{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.977{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=393B92648C1459CC7F8E50C4F0D49325,SHA256=F928066788110B548371634918D3315901229AC60E5B75DC6B99F6BE86411A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08FE7648540E473CF11F223E38BA466C,SHA256=893FC69D8AF9E04D89B2BD3A3DA43C78B46ACBD6836580ED42F5D6E3266417E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.335{15964E91-144F-620E-D007-000000003602}59806096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.327{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B142B056173B900B8D3D149F8529F2F2,SHA256=79154FA8D35A1FACA5DF0399A4B7EE7096D1CF1BE63C5418792A45F72207E43C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.090{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.087{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.536{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54596-false10.0.1.12-8000- 23542300x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:32.329{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4241558A5FC38D02AB9D87D0539447CB,SHA256=7155B3484C0B84B1374F7C5680423015EFE2DB7A6641D1A9C24AACD5307D1989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.428{15964E91-1451-620E-D207-000000003602}68205172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.428{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=219C6A91E4520E7B8A42CC0334CA1D55,SHA256=BB523C686DEFD4D5840D31B957FCE6893E4C26A57A977E4AF15284EADEE9FED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.344{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA8CCD4D0A079A55780AB2E2A14BDEF,SHA256=1323DDEE2431722FD86F36A3EA3040EFC7D24A925CD9E445408148980C54C38A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.229{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.013{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=393B92648C1459CC7F8E50C4F0D49325,SHA256=F928066788110B548371634918D3315901229AC60E5B75DC6B99F6BE86411A34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.545{15964E91-1452-620E-D307-000000003602}19806900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.380{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.379{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.377{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.345{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE4F4755C0FF27B4BAF1DF8CEBC1F13,SHA256=042760D80797534E898F4D3323F0762350C98E9DA0D3DB1B5DF8CBC30123A57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.244{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6A218B75515D9069901611FC9DD601,SHA256=3433CE7B29A8A174774D0C51FB57E1E2B6E2092003BF7B786848232B676C200F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.945{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB84AB4340989FC5C6484F997DC9C53E,SHA256=102220427B1E01BA4A12927BC8CF81BEC2F25B22D9D3BC9A96F01505AF36C7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.382{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86D8F2843BA2FF9DBE5908D1937DD77,SHA256=8DCE518FC43C344BF4C0B2A8C99FA2E60F3829C43A8D3371F9457C60F4125E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.297{15964E91-1453-620E-D407-000000003602}46045092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.061{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:36.945{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB301488A9AB850E4BCD3F048AAED22,SHA256=FECEE4F02012C52C9FA45D80CCAEDCA10015B1E1FA962945274758AEDCEA1733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:36.412{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577992EFB2294A1E37BC0423F36824D7,SHA256=0D313D3670F07C231AFE01E764B09668255C45F9511E68E4FB284A31A15A4522,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:36.706{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54597-false10.0.1.12-8000- 23542300x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:37.413{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F415382CDDD7DBBF69C2FB55C879C4,SHA256=2262F1E277F17DDAE88BE73E57B4AF9811F06F25F37C779BE61E94379DCA6932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:38.428{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1FE72B0DA735751CD48A1AC9EF73F1,SHA256=B0BDEEB517C7F07FF52966085054B8261E93E2AAB5FB3027A8DF56E198239B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.828{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CF37AF06092C1FCC3B04CE73A1303B,SHA256=0DE82D21074A2590F3A0A757CD9A4FCEFA8B8FBDB8D44017729A1EF89E45A636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.175{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.175{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.175{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:40.843{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6DBC021EFACD6F87E34DC87FE7A287,SHA256=2BF140BC93879F530498A919C4E096D595289391D7FE9675E12A9501FA1A8E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:41.858{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9A08FB22FAABEF59844C6D4C647C6,SHA256=8F7FE1C0D590064A800130F64562E48FF07562A6843D6BE1C781C8AFB3752E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:42.859{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3059ECF4155279818934D7CE7479520F,SHA256=AFE77F8745D79E2483F3594D54EFCB65446D92010E9EA1F5E1E8E7AC2D1591B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:43.862{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B2B3AF489C4D0FC240A20D6EE8BD10,SHA256=8B57071CC6CF32860523F9DBF15ADF608157D41EF1BE7AE0FB5DC3516E2AF702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:44.883{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A2496F8EE026798415B6F4A6E312BC,SHA256=005CBD1DD47AD30F03022B5D3CA66AD39787606347D9F67A20D2577664DD8B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:42.619{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54598-false10.0.1.12-8000- 23542300x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:45.898{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9248F0293E1B04C7305D7CEA1F7AD569,SHA256=60C67391113D536A317D1B711F7DCDF5951B7649A88A6CDFFC939D07F34AFBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:46.912{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D5A5C9326309010F9CACB49FEA2787,SHA256=EF546E378BA59A5B2E961387CAB1A3B07FF99DBA45AABC77BD1D93ADCED86C64,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:47.945{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.134.143744597C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.930{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A75DBF5B4F8F2559A7EEB59326E1D7,SHA256=926978B1B9B75788BDC084516F8DBED74706A5A5C0D1D077BFA31911D32A286D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.898{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1374-620E-B107-000000003602}6224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.883{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1385-620E-B207-000000003602}6624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e48048|C:\Program Files\Mozilla Firefox\xul.dll+e363d1|C:\Program Files\Mozilla Firefox\xul.dll+4218b14|C:\Program Files\Mozilla Firefox\xul.dll+243d6f0|C:\Program Files\Mozilla Firefox\xul.dll+98726e|C:\Program Files\Mozilla Firefox\xul.dll+948901|C:\Program Files\Mozilla Firefox\xul.dll+18f18d|C:\Program Files\Mozilla Firefox\xul.dll+98a737|C:\Program Files\Mozilla Firefox\xul.dll+43751f6|C:\Program Files\Mozilla Firefox\xul.dll+95183a|C:\Program Files\Mozilla Firefox\xul.dll+95d654|C:\Program Files\Mozilla Firefox\xul.dll+95c47e|C:\Program Files\Mozilla Firefox\xul.dll+8959ca|C:\Program Files\Mozilla Firefox\xul.dll+82af27|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e 13241300x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:24:47.128{15964E91-0551-620E-1200-000000003602}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d823e0-0x34b3ef34) 10341000x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.985{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.984{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.974{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.974{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.958{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-46C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:48.958{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-46C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.946{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.946{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.942{15964E91-0D69-620E-C206-000000003602}6692\chrome.7132.136.8143004C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:48.942{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.136.8143004C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.942{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19fd0bf|C:\Program Files\Mozilla Firefox\xul.dll+19fb95b|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.942{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.135.197757520C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.938{15964E91-0D67-620E-C106-000000003602}71323292C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12332b|C:\Program Files\Mozilla Firefox\xul.dll+121a9ff|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.938{15964E91-0D67-620E-C106-000000003602}7132\gecko-crash-server-pipe.7132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.910{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e38491|C:\Program Files\Mozilla Firefox\xul.dll+e46718|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.910{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a99af|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19fb56f|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.902{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.902{15964E91-0D67-620E-C106-000000003602}71326696C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d6d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff95|C:\Program Files\Mozilla Firefox\xul.dll+205542a|C:\Program Files\Mozilla Firefox\xul.dll+9a599e|C:\Program Files\Mozilla Firefox\xul.dll+9a3b55|C:\Program Files\Mozilla Firefox\xul.dll+9aa7de|C:\Program Files\Mozilla Firefox\xul.dll+83735d|C:\Program Files\Mozilla Firefox\xul.dll+16af1e9|C:\Program Files\Mozilla Firefox\xul.dll+16ae34a|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+83a0fb|C:\Program Files\Mozilla Firefox\nss3.dll+6b2c|C:\Program Files\Mozilla Firefox\nss3.dll+8feb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.902{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe97.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7132.135.1977575200\1030004819" -childID 47 -isForBrowser -prefsHandle 8112 -prefMapHandle 9060 -prefsLen 14938 -prefMapSize 242227 -jsInitHandle 1064 -jsInitLen 279340 -parentBuildID 20220202182137 -appDir "C:\Program Files\Mozilla Firefox\browser" - 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 5128 27b9fed6e48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272LowMD5=483C957E78DC5F376690F2A723122472,SHA256=D6BBFEF307CEF9D87BA5D40AC14315545CEFBBDECF705912C52C848EEBF8649D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:48.887{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.135.197757520C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.391{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\cache2\doomed\16757MD5=2D1E43EDFD81AC28BA73EBF549539ADE,SHA256=A7CF371E5FBF01DF51ECD4150AE4A3EA68C820AB289F43EBFCE8CC4E97FA0409,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.998{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1385-620E-B207-000000003602}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.952{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39738B9DCAD73C4E0A3F2E1EE72C369F,SHA256=BB2A54B54A6C9ACB60BA54F48A2E32E5C178345ECF8AEA579B4AD06EE0C27BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.904{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5445C09E66BDBA644A3BD0E227AD0051,SHA256=FB07D05B4FD532BBF5BC218B668224E684B2D6F45F565F37D8D7868579CCD142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.904{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77BE8C341179F041B0E7FF5984355AE,SHA256=B7F69651C43B0854DD352B081CC97726BE42D98EBCAB7660DB8D3A44AB32B527,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.001{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53869- 354300x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.948{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local55872- 23542300x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.363{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5438216534AAA421C4FB54DA4C3E40F7,SHA256=E5BE2CF6869AAA1B7B0AD3DDA72D9F4BFE1099749C1B8692845D233DFFCAAA56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.578{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54599-false10.0.1.12-8000- 23542300x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:50.957{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC11C4153863C090E9B6FE19928DB7AD,SHA256=BF69C9BF422F47DC76C57A4A11CAA0BF90FA8B3168BE9E3AA6058E89C2693B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:50.489{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\permissions.sqlite-journalMD5=91289A9A2E9976D3D44052D7ACCCBDC2,SHA256=43F1D42C0DB6B73D8D19B3B494B1884ECC5F6F9E227E8B2894CCC8B4DD111611,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.454{15964E91-0D67-620E-C106-000000003602}7132plus.l.google.com02a00:1450:4001:830::200e;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.006{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63892- 23542300x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:51.958{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B9A1642E83CC9BEB6D2F2B0A11277,SHA256=FF6B486499C9BC9B2AAD34D95EC899650E418458AC1CDD7B851E88A0621DB30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:52.964{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FA30634485B52FD3F950AC69A73D1A,SHA256=12B2F64DF3F35EBE6ADE935899B132E33FBF0F20F918783D6E2F9A568A32E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:52.875{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\cache2\doomed\1675MD5=AB4BA165721E9BAE1DABC0C5EBF50F22,SHA256=4A721E2DCFF5C94AC8FDF9E12EE54965454AFA185EC41BB701B55F32E7B4B03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.969{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93375C8930E814CED5F7887EED7E55,SHA256=C56B0F37C28AE33143395F0285181D6CD70F2BDD93B87467FC4077E02C9E2544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.376{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-walMD5=53FA19F1532783027FC26B19F0CC73D2,SHA256=FE79E7DEEF38234BB7F1296BD4C48534E7319E90FBF9F32CE7C35288A37CBC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.372{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-shmMD5=5924998FEEE62F61B766985F27E86395,SHA256=A26A27AE3F55C554FCC25912C4BACF64A4FB061DF227312D2A587232A3B07E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.368{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=A5C1223AEABB753B4DFC254312297850,SHA256=B7576F38654027908EF5AFECBD99AF74C5AB658A2E08A550E92AED36A7A8CAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.352{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++www.google.com\ls\usageMD5=C26F23E43A33D3A50EB716E5AA8FF1B2,SHA256=291C3CA5526E021864E5FF85DCD614703DC035BB8DF5B68326568A6033AC4FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:54.970{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5A682DECA400B176A9EE92D8777ED2,SHA256=B6F2C5F2742CC22D31EA600C1A1DF1C0224A7CB7C885069E61BEBF2BD17E8ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:55.972{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DBE9F24FBA3CD4387BFA392C3B0333,SHA256=C84921758D62EFA6F5034380F10BBCEA8F3B1A16E8CDB5805067B5ED4DEBF979,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.678{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54600-false10.0.1.12-8000- 23542300x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:57.077{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7DBC5C3F8477D3B825744BE60E87B1,SHA256=9296B1A9FCE3A46610A65CE974EE86E494FF37CE520463FE20C1BF240FC89135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:58.079{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6204FEEA0BD0E24949FB21257E4F0D0E,SHA256=C126F95B6E01F9C502460FBAAB2561CDD5ED7251A13E6124166E25B9E169EC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:59.091{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10A3B682A01D672E5BA353C3A267BFC,SHA256=859DD364F3E644AD4684BB78EA7B177A0183A7D32089E25B48DD55D7ED76F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:00.116{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2FDCF9EB65B817C7A11AF98969F151,SHA256=8A3E55DDED9566BF247CAC343CF756C78CD4A337D2D6FAEB460D0D8D4250300D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:01.121{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AD205974433235CA7A9209B425303B,SHA256=F4910BF45A0A261998EAA0492E1B5EC68B4F2F1351A2FE395BD1EBA50657B342,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:58.739{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54601-false10.0.1.12-8000- 10341000x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.782{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1428-620E-CD07-000000003602}5568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:02.512{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.137.202538484C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.501{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1385-620E-B207-000000003602}6624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.492{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1428-620E-CD07-000000003602}5568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e48048|C:\Program Files\Mozilla Firefox\xul.dll+e363d1|C:\Program Files\Mozilla Firefox\xul.dll+4218b14|C:\Program Files\Mozilla Firefox\xul.dll+243d6f0|C:\Program Files\Mozilla Firefox\xul.dll+98726e|C:\Program Files\Mozilla Firefox\xul.dll+948901|C:\Program Files\Mozilla Firefox\xul.dll+18f18d|C:\Program Files\Mozilla Firefox\xul.dll+98a737|C:\Program Files\Mozilla Firefox\xul.dll+95183a|C:\Program Files\Mozilla Firefox\xul.dll+9545f1|C:\Program Files\Mozilla Firefox\xul.dll+95340e|C:\Program Files\Mozilla Firefox\xul.dll+952787|C:\Program Files\Mozilla Firefox\xul.dll+95c8a2|C:\Program Files\Mozilla Firefox\xul.dll+8959ca|C:\Program Files\Mozilla Firefox\xul.dll+82af27|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf 23542300x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.126{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C84D0B814324590BB44A035842BE7,SHA256=99B62597F5DFA639C14FA5338270994DF99E6A5E4A6980D28539164DCE660942,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.082{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54603-false185.199.108.154cdn-185-199-108-154.github.com443https 10341000x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.603{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.603{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A427053121DDA88F8EBBC9C439BD587,SHA256=63E4E8604FD6BFA83B4D53B966397E8FFA430C9C5892BDF8A68EDDBA8C67673D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.603{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.587{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.587{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.563{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-47C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:03.563{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-47C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.543{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.539{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.539{15964E91-0D69-620E-C206-000000003602}6692\chrome.7132.139.51696225C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:03.539{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.139.51696225C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.539{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19fd0bf|C:\Program Files\Mozilla Firefox\xul.dll+19fb95b|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.539{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.138.147582663C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.535{15964E91-0D67-620E-C106-000000003602}71323292C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12332b|C:\Program Files\Mozilla Firefox\xul.dll+121a9ff|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.535{15964E91-0D67-620E-C106-000000003602}7132\gecko-crash-server-pipe.7132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.515{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e38491|C:\Program Files\Mozilla Firefox\xul.dll+e46718|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+19de1b3|C:\Program Files\Mozilla Firefox\xul.dll+16b00b5|C:\Program Files\Mozilla Firefox\xul.dll+1a05d93|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.514{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a99af|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19fb56f|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.509{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0D67-620E-C106-000000003602}71326696C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d6d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff95|C:\Program Files\Mozilla Firefox\xul.dll+205542a|C:\Program Files\Mozilla Firefox\xul.dll+9a599e|C:\Program Files\Mozilla Firefox\xul.dll+9a3b55|C:\Program Files\Mozilla Firefox\xul.dll+9aa7de|C:\Program Files\Mozilla Firefox\xul.dll+83735d|C:\Program Files\Mozilla Firefox\xul.dll+16af1e9|C:\Program Files\Mozilla Firefox\xul.dll+16ae34a|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+83a0fb|C:\Program Files\Mozilla Firefox\nss3.dll+6b2c|C:\Program Files\Mozilla Firefox\nss3.dll+8feb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.507{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe97.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7132.138.1475826635\350638408" -childID 48 -isForBrowser -prefsHandle 7212 -prefMapHandle 5132 -prefsLen 14938 -prefMapSize 242227 -jsInitHandle 1064 -jsInitLen 279340 -parentBuildID 20220202182137 -appDir "C:\Program Files\Mozilla Firefox\browser" - 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 6464 27ba2207548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272LowMD5=483C957E78DC5F376690F2A723122472,SHA256=D6BBFEF307CEF9D87BA5D40AC14315545CEFBBDECF705912C52C848EEBF8649D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.499{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:03.495{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.138.147582663C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.524{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54602-false140.82.121.4lb-140-82-121-4-fra.github.com443https 23542300x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.139{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A158B9346D7ABB9DE52639B80708CAB,SHA256=7445E502E4263E0D572589077CD0C77AC6A3B04CEF152AD697D75F1D8D5A6790,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:25:03.122{15964E91-0551-620E-1200-000000003602}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d823e0-0x3e3c6dfb) 23542300x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.340{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E125007A77B617EECFA6D4249D6519F1,SHA256=723FE25F6C8CB2042664E1ACF0F9BA213624B6D2ADB50B4ADC46934233CE989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.337{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5445C09E66BDBA644A3BD0E227AD0051,SHA256=FB07D05B4FD532BBF5BC218B668224E684B2D6F45F565F37D8D7868579CCD142,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.580{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local65002- 23542300x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.152{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8283B8B11A8704D069A48B395B46687F,SHA256=F7E85541D0095E396E69E345534A1B24658711761B730795F4F0FAB493EAFEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.088{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\permissions.sqlite-journalMD5=D6FF8624453F1428093072DECC9A125F,SHA256=6853441A9553E1C89D32F30A8C49686DBCD87860B6C7963E7095EDE705976217,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.814{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54604-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.814{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54604-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.696{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local50113- 354300x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.695{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local51224- 23542300x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:05.171{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BE97E630EFA5E25B6E4EC410E5ABC9,SHA256=812D7A00B580276418D120B41CB0A546F1BFBA361FF88A42DFB5ADD7F1710B98,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.095{15964E91-0D67-620E-C106-000000003602}7132glb-db52c2cf8be544.github.com0140.82.112.22;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.095{15964E91-0D67-620E-C106-000000003602}7132collector.github.com0type: 5 glb-db52c2cf8be544.github.com;::ffff:140.82.112.22;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.029{15964E91-0D67-620E-C106-000000003602}7132github.com0::ffff:140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:06.514{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.725{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54605-false10.0.1.12-8000- 23542300x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:06.172{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFD615B28270D7C654427E797B9D4D3,SHA256=648C5422DF5BF30944E4EAD30929C754386FC5BA837CB869EFCB3F9918C96952,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.261{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\AlternateServices.txt2022-02-17 09:00:07.216 23542300x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.261{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\AlternateServices.txtMD5=A05B832A4EB7D67CFEA7DA42987F9C5B,SHA256=D58748964A08D2A88805C8DE04FC6437FD938813568509D8141F0B22DE6668A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.173{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EC7CEAF7C912B38ADB9A413A7B3789,SHA256=E9AC4055820620B17B54E6BAC9AE3386A3B3CE61FA53E498202EDDBBA5EE23E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.133{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\SiteSecurityServiceState.txt2022-02-17 09:00:07.085 23542300x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.133{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\SiteSecurityServiceState.txtMD5=90301954A2A947DD18BDACC9FD8805FE,SHA256=17E80BC32F7406E0C14525D5F4C6F0507D4E1D067572EC2F10AB65FCCA2244C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.322{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.321{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.321{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3b3653.TMPMD5=D8C7802F2F86D4A8F084F94C507AC3E3,SHA256=2BE27CA4C8487C0A57B8EEB413DBB09EB2843929F23BE9294110B7F017ABB192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.178{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3D6E971E160B8E82A34A39BF3C9CD2,SHA256=9DF77A0E8C986C41EAEB7531F22E80F7296FFD7EB59FEFC143EE94202BCA3142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.134{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-walMD5=9109665C157B8B62D599766A18DF7321,SHA256=B1A3187F26330588A3B3387047D301FB8450567BBE5A9F989E2D2D283C879C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.134{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-shmMD5=BDFE5F5F64F478B3FFB188D610B39091,SHA256=C030B33C07A8E6B7E00F56A39642707A0E8258F5274EDDBB99E71B5198C2AD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.130{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=864E8DA849524FE90A7EC629E78646C4,SHA256=3737E3ADBDFA9C981955AC7FFC37CFD32DAE4D4BCAA45A010A90C6D2C7CB328A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.114{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=10DB1AC75FBF79C2001CF127113481EA,SHA256=621B8864C4D868A9560DB8A230029319607D2D5D47D44C7572D19CFDE282575B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.106{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=98D550DC1D38AC8D653CF26282BD0718,SHA256=358DDCA401D78AD79B182D571497A7B5FDABF66B30F120237FD0FEA204BA0600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.098{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=B4815B7E1EF73DAD62740190D7275D60,SHA256=3C289B6A4700DB2CF2FA99CFFB6007CC944DCBDAF8777DB6CF2F7CB65DB6B283,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:06.989{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54606-false10.0.1.12-8089- 10341000x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:09.255{15964E91-0551-620E-0D00-000000003602}8804684C:\Windows\system32\svchost.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:09.179{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C15DCCAE2FD0EC7776F7F6C791EFD0F,SHA256=98BFD5CECCD4A5F6D56E189FA95B5D59F3D87D50695DC52A8147E0D09231F9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:10.196{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367E1D781509DF502E1B1D9506541135,SHA256=2D0ED23C4FA23ED64804D5AEAE4E83B0BD0D28A33150101483B280A92F92D96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:11.198{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F1B094BFC34FC3EC79EC35CD196A4,SHA256=B1964D4AD2A79F6A512E1D66B68A08AD43A869F9E8C68DE5625D4B7E8E77C4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:12.200{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48517FA6A72B6B43E468B116F6852142,SHA256=7B7DA8D8115F9B8B2C9B8A706BE2859825FADF3D3A038F1CECEC6A5BB78442A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:10.681{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54607-false10.0.1.12-8000- 23542300x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:13.206{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6761F675CDF39DDDD80E7EF096B08406,SHA256=074D1AAC19F907937035354C0BDEFD26EFBF4870114F0B84B00CF523FED226CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:14.207{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181FBFC3D81AB388A4EA0B853B32D17B,SHA256=E898F669BFB01BEDB95A15472D3101365E0CADC330FFD39AC9E9926BF4EB7463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:15.216{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAA0C107A732E8088479FE7746C63E6,SHA256=8FA08A4617862E0D921A1D67E47543B1DD0693BDA02254BE8770A0A51E5037D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:16.218{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581EF9DC403D5BE20112DBB50DA9B934,SHA256=89602D5E79BE0CB3A5B2D670033FFCD3D9732E62F9209F7EAFE0C86DED3978F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:17.220{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54808B4F6A4831D0FCBDB3668F8847,SHA256=E9896596DE69C862341E0548EF2D6DF78EC0500AB1B09938A37D9D2D6457E147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:18.223{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52416C60ED76227BAFAA0EF218CAB225,SHA256=2BABC9E41A5B7FE87C4427CA966A02B69AA0E92400305DE9FB1D2C0E50383943,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:16.586{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54608-false10.0.1.12-8000- 23542300x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:19.494{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:19.494{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6CC0C8CC9654494D3006707B5EEB4411,SHA256=FFFC8D088DF0BFD9F172A3B4DC21A4AF76C788CC79ED65583FD45EDC36C51591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:19.226{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89728333E10809491CE7AD069139CC81,SHA256=DBEFF74BFFF53CEFAF691F2CE79120DA5EAEDD9F32A35429ABC1E5DCE319AFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:20.240{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A564C790A7BFB9789968679DDF8202,SHA256=A0A89B033A8CA280EE6CC593F9DCD35E466C3F16366C7D356577F91CE4913D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:21.299{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996E2FCAFF24066B64833A7DC905BDB4,SHA256=D50A6F074C4DCBFCFBCE2167CA798D2A75DBA308103435D000A600E59830A3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:22.303{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FD037C6736560AF9BA5878A69229F9,SHA256=E7638F3241A28BC315CC8B452EEBBD63E124C8EA0814E773DE4AB3A21833597B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:22.591{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54609-false10.0.1.12-8000- 23542300x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:23.312{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F218493CC25C6126ED4C83AC246EAA,SHA256=FFBD52CDC5CC8FC70187444B2779922873548FAB1DB656E8B894609030E7B73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:24.343{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A929AC5B44CD08AD90E6B0BBF22010,SHA256=782B00DFEB05A83791EBE63D57C59147F74AFCD5FD3F317D695B77E379F431C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:25.347{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689F37E0DE22FCFDDD190EC5806EDAD0,SHA256=4C745B9CD0F99392BA271BAAD217CD213E45FEB471000960A7CBCDC793EE36F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:26.634{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\respondent-20220217082052-062MD5=5CDEFFEB9D405321091B6D567D00213B,SHA256=694D3E29A1B4A6F1E67ADE1AE836583F1FB15D03FD159997E24992AEAD1D69F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:26.377{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6F208A09F734BFF8E5E85A2878EFF0,SHA256=61E3A901A3DAF934AA413071F767104DAF428E8F67131FA1E3F999F5522160B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:27.634{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\surveyor-20220217082050-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:27.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5EEBDED913C70339D0E1138F8A216A,SHA256=6FE18C973D931AE3CB32927BD82E482A4A662E4C3B4E13D8CA0D08A1E6FDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:27.725{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54610-false10.0.1.12-8000- 23542300x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:28.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9686F20DA0B922E7EB4B3CB21D0675,SHA256=C0860FE14CB9D67ADEE1F60F0812A2DDC7A93569393A4128CCEE88663C9E16BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:29.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A84CCC16EEC7E09E8438818AC36211,SHA256=5B31155608DBD005EA921CC845F815A9BFD9F09BFF6822F4C49DD617CA94443E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.433{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.397{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93668C044ED3B4C24CEF7BB5C9EC6B,SHA256=3B99E1DED9338E6FE45E726AFF7B0B59284BFCA745682EF7BB7E7CF6779351D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.984{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C5D3F9603BA52FE3A2AFE98ECC7361,SHA256=FFF8333B061B8646FC27D9116FE151AAD6217D45A0B2002DB4001F6D737A9FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E125007A77B617EECFA6D4249D6519F1,SHA256=723FE25F6C8CB2042664E1ACF0F9BA213624B6D2ADB50B4ADC46934233CE989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.405{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2970FC7835635A7BBD9966CD563185,SHA256=F0AF8010B0F940A203A5396778B2ABD77B7BEC02248A5E85E1A18DB5B2D93A1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.321{15964E91-148B-620E-D907-000000003602}51965516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.105{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.098{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.097{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:32.420{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8378810A77C37F28422EB5FAC697EC2F,SHA256=6C196084229DD8ADAA82DCA3C73A7D6BA607593C8C0FA6F59F7E08649499B605,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:32.913{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local62706- 23542300x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.444{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4F53202D1D416B9183941E7409C06,SHA256=49E7689227A681CCC4C97A6464563A94D298D73FB19ED5D22365D0965CB395AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.430{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FCCCAD37888A28013B2945325D1FEB0E,SHA256=91E2AD87B7B637281D95A5208EBD93C3B5F45278D2EE5161975339107733A5F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.412{15964E91-148D-620E-DB07-000000003602}34646188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.236{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.051{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C5D3F9603BA52FE3A2AFE98ECC7361,SHA256=FFF8333B061B8646FC27D9116FE151AAD6217D45A0B2002DB4001F6D737A9FF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.648{15964E91-148E-620E-DC07-000000003602}42084392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.612{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54611-false10.0.1.12-8000- 23542300x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.443{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0D002CFB87DBED376EB9BDAD2063F6,SHA256=593579811DB08F87DB63A7960608A4C3F28F6A92EAEEDED1F00F88265827DBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.391{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.290{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CA697A6AF03F7390D6364D5795D135F,SHA256=8FD6C27C67948804DA61097535E25FD0137106338E3EC8E62AB0E7B1D4D8D5D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.950{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.465{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E945E747BA41695EE85BE764C1C5B056,SHA256=34FEB2944D6355D8DFDE528E0F298958A5C489427245A8D23022C088943D2D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.431{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A677B32CDFC171DA1DB90A8C1761DD64,SHA256=E383777BA3699F152FF9958F2A28175C043851D75BF575165C0DB4063E709A63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.317{15964E91-148F-620E-DD07-000000003602}21524256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.062{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:36.995{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BE8BA1C88061ABA6954ED1BEDD050A,SHA256=908A60238D060B5D119AF6D22B0DC49073A735ED9A8DDE5F23CBF0200C6E9699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:36.480{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F829B135FD688C6D176A00CFA8F9F,SHA256=E6A65604E133526E36B9C17439B1D0F9D2F4E7E40EBA151CE51A49584F07F78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:37.510{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74152774DC443811F53CEA991F20D12,SHA256=586CFD61851C00BB1C5B3F92235EBF712C7FE6C4497E8BC869CD9A9BD0CD0158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:38.527{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767396993857000D7B13A38C4C525EB2,SHA256=4E54E0FDD41A24C5D1BFAF179B3045BB20446F394CED490F65BC36A4760D17BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:39.546{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B086AC13A1A3A8600B27E319AA4F5,SHA256=9ECA1B3D7817E407E54CA9D78C90A41E13A9DF3BAA5A2076680DB1FA67DB8EFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:38.720{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54612-false10.0.1.12-8000- 23542300x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:40.577{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A71F7B978162CA8691C98CF09AC552,SHA256=87579B19868A4954AAC41C04AD8316EA58220725C679369703A0842C5439B41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:41.592{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5E124847E0DAA000280481A38FC3D8,SHA256=61136FE323D180A1200E7AF38EA2B71C2615ED26118E79A427B0DA2F6447C66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:42.606{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0063DA1242B5A0C12F93A0F90B7E6A63,SHA256=C0135E0AD44A1EB2AC2055502889F0A723942E8BC46FEDD7806A629714D4EE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:43.624{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120CDF2F0F07279C38BA0ECD9A92431B,SHA256=32C25A299A128260D7565A15F4B075627F5AA3CA007621297050A0ED524C8EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:44.643{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFD4B7CB8A287766A3A0306DCB53A2E,SHA256=4703015D9724D45EFD26C35C572660CB06CBDFDB92B2AB760C2921B8113A2DB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:44.635{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54613-false10.0.1.12-8000- 23542300x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:45.659{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA05A4B873DA0B065FF36F441C071C0,SHA256=A86570AE3322E1DA4B9F964DC4C33A2D1804838391AE80B8B6AD156C5E4DE274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:46.674{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4631D99E1C69FD41FC09786302425E,SHA256=52D24B538A88EB3A79B14AFEF6D02957CF30B08F035C6F17787F4759A5829E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:47.690{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E339845994C2F2BF6483D2EB9E0F66,SHA256=080770C03B2D7F34BE6673B2EE7AB84D16B9DF32E1EDB0541B9CD220941D29D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:48.699{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0481B2CC077D5AF9E302982D57EC591F,SHA256=A483E7A3548B438DF1C05650D7254D4EA2819CCE03EEE377786A546FC8385FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:49.722{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF9F31919473BA4C09D62E03322B2,SHA256=874FB22FFFBFAC9EADE5B077398593F1F89974A605764A39AADCBFBF9A82B796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:50.742{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22165DECEE2E1B9AE8F8109744ED1DF2,SHA256=AECA2476D42B7B9AE1F5AB720D47B7FABE4FDD163BE2742D3B473FBF44CBF391,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:50.648{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54614-false10.0.1.12-8000- 23542300x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:51.744{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B3CB266AB205EFD5F6D284722FF376,SHA256=0DB88C0A6A3DB6CF755CA48D0BF0801A30F94E9E5204AEF22B9456DBE9A939C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:52.745{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFA759F41EA38402A4C7F05773FF42E,SHA256=66E45B3660D57474244C5ADE70EA4FFF0B28EDD25DE9B30BB172EE591E3BB7E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:53.746{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DC84724F4F1CD4DEFE23A28952A20E,SHA256=7282C348F91472ECB90B326FA72C562678A49977A5587467CE5D94CB28F8BBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.760{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19FDEF34D344883DEDD86B10A6A6F52,SHA256=BE4B428E946A7C46F69E4D7DE1B086464E5D85660D219FC332017CA1661D2DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.807{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744A13182054B655C416B094F354D4ED,SHA256=636052CA43407D7F18006608B19D5347450D8C61BC4B9348D507D7209D49E162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.129{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-143F-620E-CE07-000000003602}2588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:55.091{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.140.84656755C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.060{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1428-620E-CD07-000000003602}5568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.060{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-143F-620E-CE07-000000003602}2588C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e48048|C:\Program Files\Mozilla Firefox\xul.dll+e363d1|C:\Program Files\Mozilla Firefox\xul.dll+4218b14|C:\Program Files\Mozilla Firefox\xul.dll+243d6f0|C:\Program Files\Mozilla Firefox\xul.dll+98726e|C:\Program Files\Mozilla Firefox\xul.dll+948901|C:\Program Files\Mozilla Firefox\xul.dll+18f18d|C:\Program Files\Mozilla Firefox\xul.dll+98a737|C:\Program Files\Mozilla Firefox\xul.dll+95183a|C:\Program Files\Mozilla Firefox\xul.dll+9545f1|C:\Program Files\Mozilla Firefox\xul.dll+95340e|C:\Program Files\Mozilla Firefox\xul.dll+952787|C:\Program Files\Mozilla Firefox\xul.dll+95c8a2|C:\Program Files\Mozilla Firefox\xul.dll+8959ca|C:\Program Files\Mozilla Firefox\xul.dll+82af27|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf 22542200x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.853{15964E91-0D67-620E-C106-000000003602}7132raw.githubusercontent.com02606:50c0:8001::154;2606:50c0:8000::154;2606:50c0:8003::154;2606:50c0:8002::154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.852{15964E91-0D67-620E-C106-000000003602}7132raw.githubusercontent.com0185.199.108.133;185.199.109.133;185.199.110.133;185.199.111.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.851{15964E91-0D67-620E-C106-000000003602}7132raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.828{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E2A63567A24A0805D1968DFF1F5D3B,SHA256=21F91256E76CC9D721A1F357CB0A76D74B5505102E9D7F357FA38DEB08914FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.260{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0247F62A35774954D58E1FE049E9A0F,SHA256=D3029F68E4790D1A01F45A297398B713D6AB335C438B370EC5925BBE092071CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.144{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-48C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:56.144{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-48C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.128{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.128{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.128{15964E91-0D69-620E-C206-000000003602}6692\chrome.7132.142.19077362C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:56.128{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.142.19077362C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.127{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19fd0bf|C:\Program Files\Mozilla Firefox\xul.dll+19fb95b|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.127{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.141.82500612C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.124{15964E91-0D67-620E-C106-000000003602}71323292C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12332b|C:\Program Files\Mozilla Firefox\xul.dll+121a9ff|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.123{15964E91-0D67-620E-C106-000000003602}7132\gecko-crash-server-pipe.7132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e38491|C:\Program Files\Mozilla Firefox\xul.dll+e46718|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+19de1b3|C:\Program Files\Mozilla Firefox\xul.dll+16b00b5|C:\Program Files\Mozilla Firefox\xul.dll+1a05d93|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a99af|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19fb56f|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-0D67-620E-C106-000000003602}71326696C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d6d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff95|C:\Program Files\Mozilla Firefox\xul.dll+205542a|C:\Program Files\Mozilla Firefox\xul.dll+9a599e|C:\Program Files\Mozilla Firefox\xul.dll+9a3b55|C:\Program Files\Mozilla Firefox\xul.dll+9aa7de|C:\Program Files\Mozilla Firefox\xul.dll+83735d|C:\Program Files\Mozilla Firefox\xul.dll+16af1e9|C:\Program Files\Mozilla Firefox\xul.dll+16ae34a|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+83a0fb|C:\Program Files\Mozilla Firefox\nss3.dll+6b2c|C:\Program Files\Mozilla Firefox\nss3.dll+8feb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.090{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe97.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7132.141.825006121\1029226927" -childID 49 -isForBrowser -prefsHandle 4532 -prefMapHandle 4348 -prefsLen 14938 -prefMapSize 242227 -jsInitHandle 1064 -jsInitLen 279340 -parentBuildID 20220202182137 -appDir "C:\Program Files\Mozilla Firefox\browser" - 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 6840 27b9b6f6a48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272LowMD5=483C957E78DC5F376690F2A723122472,SHA256=D6BBFEF307CEF9D87BA5D40AC14315545CEFBBDECF705912C52C848EEBF8649D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:56.076{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.141.82500612C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.890{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-0D69-620E-C206-000000003602}6692C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+ecbfb2|C:\Program Files\Mozilla Firefox\xul.dll+ba1e22|C:\Program Files\Mozilla Firefox\xul.dll+271672|C:\Program Files\Mozilla Firefox\xul.dll+27144a|C:\Program Files\Mozilla Firefox\xul.dll+ee484f|C:\Program Files\Mozilla Firefox\xul.dll+1b43a7e|C:\Program Files\Mozilla Firefox\xul.dll+1b46e28|C:\Program Files\Mozilla Firefox\xul.dll+17a6989|C:\Program Files\Mozilla Firefox\xul.dll+17a5e25|C:\Program Files\Mozilla Firefox\xul.dll+3b58399|C:\Program Files\Mozilla Firefox\xul.dll+3b58864|C:\Program Files\Mozilla Firefox\xul.dll+3819cf0|C:\Program Files\Mozilla Firefox\xul.dll+2eecfb4|C:\Program Files\Mozilla Firefox\xul.dll+1732f27|C:\Program Files\Mozilla Firefox\xul.dll+1bed0db|C:\Program Files\Mozilla Firefox\xul.dll+17b963c|C:\Program Files\Mozilla Firefox\xul.dll+1859fb3|C:\Program Files\Mozilla Firefox\xul.dll+2e8c45|C:\Program Files\Mozilla Firefox\xul.dll+e5537e|C:\Program Files\Mozilla Firefox\xul.dll+2e7898|C:\Program Files\Mozilla Firefox\xul.dll+e52c58|C:\Program Files\Mozilla Firefox\xul.dll+1a1311 354300x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.667{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54616-false10.0.1.12-8000- 354300x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.349{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54615-false185.199.111.133cdn-185-199-111-133.github.com443https 23542300x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.843{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A692EA6C0F45038B51EC4B1ED5F635FB,SHA256=6EFEDF8D6C171A99C8BA1F88238011EB1C538D30D089FA13B91390DA79458AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.348{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63651- 354300x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.348{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63641- 354300x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.346{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local49638- 23542300x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.091{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE7684D78636CB02FF55E01A1E83ECA,SHA256=6FF8547BAAF5F2DB8AFADE55CCBF893149D8A75FB5DDDED867E4F5F68CEF0AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.091{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAE878B1F3AFE6010EB782825E3D9D6A,SHA256=942A53225D94C4F6BAEC1CE182AB2233866D32ECC56105EC61996720EC3315EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:58.845{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42647733AAE68F98DE8A893AD17EF0B5,SHA256=0B7E36E91B8346014398357DC7F3ED9B4BAF99877A93111C7CECBA8E244A9041,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:58.365{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local65125- 23542300x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:59.860{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A5D533D176FC47E20E681D333BC8E1,SHA256=EC3A62CFFC97FADC93149D1E67187649DBADBF30C0D8DF880FEC819A67ECB29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:00.876{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB181574F83CC26B6C4B038EDDCF8DB1,SHA256=A736ECEFFC2E1741F72BEABE06A9142E4BBAF7F92F3125245FB04658064BB186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:01.907{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85428B4C28B62A44A27EAC0A9E0641,SHA256=68734E0139E0E83E65D69F5DB0C4C97E535BB95E1B30B4F8DBCE188564EF5B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:02.907{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AE842FE0FB70A46F5BF434ABEEAEBE,SHA256=FD9D01598CF75451C535544B4C7BD5B63A6D21BDC8F420FCE2DBA9A970FEA1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:03.924{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402A8C9A36322BA746E94904A9ED65EC,SHA256=9C76B597FC9D0D13E48E09EC760431FE6C240721F8E483F9732FD3461567D45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.945{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA60A6ADD6F00BDA998793B883F3227B,SHA256=0CAC40F6DD577074D55E50E6B76D866CC6D64E86A3EE157735A1DC07523CD673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.375{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A73194030E8AD4D80DA18A17F485FF,SHA256=C52EA6EA1454650C2609C0425781E035ACB47A2822DCF7224E8910CC6DD6E440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.375{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE7684D78636CB02FF55E01A1E83ECA,SHA256=6FF8547BAAF5F2DB8AFADE55CCBF893149D8A75FB5DDDED867E4F5F68CEF0AC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:01.714{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54617-false10.0.1.12-8000- 13241300x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c10c5) 13241300x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d823d8-0x00957e22) 13241300x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d823e0-0x6259e622) 13241300x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d823e8-0xc41e4e22) 13241300x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c10c5) 13241300x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d823d8-0x00957e22) 13241300x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d823e0-0x6259e622) 13241300x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d823e8-0xc41e4e22) 23542300x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.144{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=4A141AA5B58DA150D20D36EAB26ED2BF,SHA256=D25F0C7478D8523567F014272D90011CECC428F8285573DC29C31D0B3942A3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.968{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE604B8B4F1D2E484E86728480102DCF,SHA256=6AE64F7CA479BCE6AE226D2872AB63063654FA5CB8BD40CEBB63A1A3B2D91AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.869{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\pending_pings\49b1d919-375f-4cb5-b9c8-e2027dbfcf8eMD5=FE56841A801F2A490CAC6C1E23B45C04,SHA256=86727F8DF557BB86EE325778AA2803C6A23480ED03BAA7CDB26209EE2A8DF164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.647{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=90C949210A6D6827A68C905AF6F3A77A,SHA256=E4D62D22B5B2A4A231A185C0D52865CD1F6CCAE636D339D0C0AD0ED9847835DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.644{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=90C949210A6D6827A68C905AF6F3A77A,SHA256=E4D62D22B5B2A4A231A185C0D52865CD1F6CCAE636D339D0C0AD0ED9847835DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.638{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=7FDB060F4A21A4B2AD1B6824E1AE04CD,SHA256=5DF6FD1A44F0301BF680C1448999D07EEBE1C391257620B78DCFD71107424B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.636{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=1BEC66B7D6FDB07392F889158BABF390,SHA256=3983186060DB9ED94BF7C7F39F90E0FB8C251E55858EE970DD43308259BCACFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.631{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=8FC301BDDC705E9BA427BB563E0A74E8,SHA256=62C02A8B8470B75A152C6C5B5A475A0F1842F5D6F39A3C2F8C5C34C806A0BFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.623{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=CA422A6D3FD78E4CF0868ADAC47D32BB,SHA256=6E9C8CDAD36619D72856C104C9C91082574A033A8A7E2B0E8D1B13A2762A6DD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:03.836{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54618-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:03.836{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54618-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 10341000x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.643{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-054D-620E-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.612{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0551-620E-1400-000000003602}1076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.596{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.596{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.594{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.593{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.593{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.591{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.590{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.588{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.587{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=88E36656A2FAA00727F05A0A5963A78B,SHA256=F7764A060932E62AD37471B0FD4DF1542D9DCC2F22CA8EAF1CBD521177FD2CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=D46804DBCA2A77DBC729D88443CC7FF0,SHA256=7736FDDC3E9357D43CBA17FF1FE1E6C3CD85E23C24BF19E8B1C00117BBC223AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=C48253CF1D2A9A4E65BE0664F7DA4DE6,SHA256=3196F11A179B8EC11256D80861AE57CF2FBCE3D28937AE5FEF5450A5174233DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.518{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0551-620E-1600-000000003602}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.503{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0551-620E-1600-000000003602}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=19449DB498CEFC81B3C86BE8713DDEDC,SHA256=B7F4ECF0FABC1F55242ADE875A82359AAA4F50DF692436BE7C19C2936AA52647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=EB2E6454119F9F36075395E93E9397FE,SHA256=8F540912960D7A9CCFD6FE26027DE87854BBDB3FD2A5642911B5EA146C1D0A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=15A633D57EDA6D540F58AA15C2220F45,SHA256=F0C0AF86B1EFD3ABDFE522BA98A2CC667EF88268463E386B6B0E984D7806EFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=9A73468CCF6F575C60C851B9CA0CEB38,SHA256=43C5FF90275C946D660E69142234C7984D5C268E15889DE5D86D73B7FF31BD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=A782AEC28A4EBB69F24B60F59FA66F38,SHA256=ABF8A1022B25C4008669B9D97E99BA6319CD4B3D188596C795848A669990B224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=A4001CF7BEA74DD2A9D614EA0F0F7F8F,SHA256=51CB8386868FA686ED4AEC74FB7F7F5CB68F01C57BE29313822A98B9EDFC7255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.454{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.454{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.454{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.391{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=A4001CF7BEA74DD2A9D614EA0F0F7F8F,SHA256=51CB8386868FA686ED4AEC74FB7F7F5CB68F01C57BE29313822A98B9EDFC7255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.391{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.307{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=D46804DBCA2A77DBC729D88443CC7FF0,SHA256=7736FDDC3E9357D43CBA17FF1FE1E6C3CD85E23C24BF19E8B1C00117BBC223AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.307{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.292{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=19449DB498CEFC81B3C86BE8713DDEDC,SHA256=B7F4ECF0FABC1F55242ADE875A82359AAA4F50DF692436BE7C19C2936AA52647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.249{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\aborted-session-pingMD5=44EBBFBA9D0DC966FC219D3B98D58927,SHA256=6B90394DD07716043F152392642163AD78F21B97FFEFC17412AEE4B8223B5161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.239{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.140{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54619-false142.250.184.202fra24s11-in-f10.1e100.net443https 354300x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.136{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54451- 23542300x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.109{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\session-state.jsonMD5=F75E0C29BA3EA30E78B7047A1D4273D4,SHA256=41479DBBBCC8EA3D16FB58E3A467293714F5D1E3B85101DDC732575BED09D8AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.118{15964E91-0551-620E-0D00-000000003602}880C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54626-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.118{15964E91-0551-620E-1400-000000003602}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54626-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.024{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54624-false10.0.1.12-8089- 354300x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.015{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54625-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.014{15964E91-0551-620E-1600-000000003602}1328C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54625-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.006{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54623-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.006{15964E91-0551-620E-1600-000000003602}1328C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54623-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.002{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54622-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 354300x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.002{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54622-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 354300x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.001{15964E91-0551-620E-0D00-000000003602}880C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54621-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.001{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54621-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 23542300x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.511{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A73194030E8AD4D80DA18A17F485FF,SHA256=C52EA6EA1454650C2609C0425781E035ACB47A2822DCF7224E8910CC6DD6E440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.393{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E7E05B811045DAAFC07F41D1F97DB0,SHA256=D5BD0A0E24470D5DA670D26A732C1144011469250F44F528A0B4B0C7F615CF88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.615{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53296- 354300x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.589{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53296- 354300x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.149{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54620-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.148{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63348- 354300x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.146{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53061- 354300x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.142{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local49763- 23542300x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.111{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.139{15964E91-054D-620E-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54628-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local445microsoft-ds 354300x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.139{15964E91-054D-620E-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54628-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local445microsoft-ds 354300x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.131{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54627-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 354300x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.131{15964E91-0551-620E-1400-000000003602}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54627-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 23542300x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:08.112{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727E26B5FEDEE51966AD22497847BF21,SHA256=7857CEEA86355E762B7DC07B2F03E9A8C6D8F7E97FD7E23B8B648AAF666C9A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.581{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54629-false10.0.1.12-8000- 23542300x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:09.126{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D185CA740179E664C54A65F6D19295,SHA256=F66DB0AE204610A5584FB67C49E21DCCA76ED79C2788CCB4352D5CA910AF9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:10.141{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25AEA51BEC8F8AB19C00F168C3EFD37,SHA256=7B24440AC958AB123B51B54211728BCCD363E77CD22649B645F36D71F7C49A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:11.144{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2474922FD82EB1A94384212E0828FC,SHA256=B313778B5A099DC120B36FD4EA702963C07DACA1933E3C60BD10523079D08C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:12.193{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF7CAA0B5BDC1B0BD53BC9C5EE9534F,SHA256=17BD40E8297D11894753A1165C0229D563EDDB15E34FD8F225BC31B90EC481BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:13.211{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCF52140C7F5E3B1C290ED74D017512,SHA256=A023C3D2373BD88EA571A8F4EC41BF981A8D35C24371ED0C530AED913A1031C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:12.604{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54630-false10.0.1.12-8000- 23542300x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:14.242{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8EC041854732DB42FA3546B372EA65,SHA256=05F45A144D164ADA019BB59060D27E75D0052EFF4EBCBFBB2B6132B3E50A343E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:15.257{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CC485BBA4A264705F97AF20B692BF4,SHA256=00A709490712E703688C47FCBD2B31BEBC1D40CF71CDCD8D38664B55E2FFD3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:16.273{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7142E06696589DEA41169F0169E3EBB,SHA256=66542A028442219A4B2A8494D3FA4C5BFCB4A71F261AE7C41802286EA47D7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:17.856{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\xulstore.jsonMD5=2A3CC2404FD9A14E62E290A4D760AD16,SHA256=6B7B2F2D838041111013F7ABE686644F4259441D23BD63C4BB04FBAF6F1B7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:17.290{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DED1261922E2B26873D2F9AA4A5A80C,SHA256=EE2CBFF3A0CCFC7A39C5E4A74841AAA9EB5FFAD6C49F29DEC997AE86AA004768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.409{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1815DE813B09D8177CF7B2CB19303F68,SHA256=D7B8A66CBC9BAC3C751E96756BFBBFC28DE3D658BD1C14FC722987A53F1CA33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.409{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF96C0E6FDAD347331BF1AF674C5BAE,SHA256=5B9085B7B60826BC58BB02013253FDA03CA8D4F1152BF0BC0D15EE2E99BE1ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.309{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F34AF1F741089798AC273828040338,SHA256=7861F5FA85DCB24563DB3F6DA0322ED6393A5259340C801F3B25D88AC9081BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.340{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4445A378C0C1EA39D83CE56D549E86F9,SHA256=C5345F06A500007502557817590624A728025CD359BBE9AF02F57F0B4A07CF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.071{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.071{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.564{15964E91-0551-620E-0D00-000000003602}880C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54632-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.564{15964E91-0562-620E-2900-000000003602}2880C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54632-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.578{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54631-false10.0.1.12-8000- 23542300x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:20.370{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A489B3F19A4E382A445157BE122D1D,SHA256=70D51F9742BB577DF01AD6004C1C57007BE65493883950726D706C72A77BFE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:21.388{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259FE52219625CB89B1212025A103AEF,SHA256=52C327564CB34D3E0D853B7B0FA4A541C8C2A7C475B4612C87343EAC7FB0B399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:22.422{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8594F749945D888BAF904A4F0A9D79B,SHA256=095710F018268B1A2EB75EF1BBC6BD30374A704D5D5EDF4E369CF012DE32658B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:23.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3DB101714BF6D913A8FF95FF6E9C37,SHA256=F193BCF910AC3E607781356D08BE913AD7A982AD23DC703B1A6C5D24869DAB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:24.451{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2584C9F86070205759F27D5831EF7689,SHA256=68F303228D09413F5DD90373424FC742D1F7663A7D64F73A09CD3E456884C560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:23.678{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54633-false10.0.1.12-8000- 23542300x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:25.484{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8114D466CB1BA5551EDAF61F8B2E880C,SHA256=D3187475CC4B67B2F23DCFBD0A9B71F6E9AF689EC41795790A4515879DA557AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:26.504{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213B291AE6C6A21397605606FDC71A8B,SHA256=94347DF175777F164C01726D1B23F1E77602C0EC36780A8770ED8A007C9FE36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:27.519{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7F975C264A53F13CDAA1AFE0B7B8E3,SHA256=5E04E898AE0D98403D799499A779675E7D6AB600374A9278F46FB7755B4B98BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.535{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002D4ECDEEB25C18CCF1F6FA7A93ABB,SHA256=1F11967A0D1FC5049D048F106A7CC20194D79BD21DDA437BE21FBF52968FD394,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:28.219{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:28.219{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3679F75E-AF26-4BA5-BADE-FA655BF916B3\Config SourceDWORD (0x00000001) 13241300x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:28.219{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3679F75E-AF26-4BA5-BADE-FA655BF916B3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3679F75E-AF26-4BA5-BADE-FA655BF916B3.XML 10341000x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.203{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.203{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.169{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\respondent-20220217082052-063MD5=5CDEFFEB9D405321091B6D567D00213B,SHA256=694D3E29A1B4A6F1E67ADE1AE836583F1FB15D03FD159997E24992AEAD1D69F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.888{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.885{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.885{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.536{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C0810B992A28E8FDA61A291F13D6BB,SHA256=0FA07183CC756D6DFCCED91AEC1C0B6E5DC02C74743140350C2580A256960636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.168{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\surveyor-20220217082050-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.050{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.050{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.050{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791