10341000x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.417{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.413{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.413{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.413{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.412{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.405{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.405{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.406{15964E91-144E-620E-CF07-000000003602}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:30.313{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C37418A02722545CADDD949CE9A40,SHA256=42800CC6EF1CD1156B12D30F7E143B37D4E8F70DFAA69ABCF798EDF28D2F23E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.981{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.979{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.979{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.978{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.977{15964E91-144F-620E-D107-000000003602}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=393B92648C1459CC7F8E50C4F0D49325,SHA256=F928066788110B548371634918D3315901229AC60E5B75DC6B99F6BE86411A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08FE7648540E473CF11F223E38BA466C,SHA256=893FC69D8AF9E04D89B2BD3A3DA43C78B46ACBD6836580ED42F5D6E3266417E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.335{15964E91-144F-620E-D007-000000003602}59806096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.327{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B142B056173B900B8D3D149F8529F2F2,SHA256=79154FA8D35A1FACA5DF0399A4B7EE7096D1CF1BE63C5418792A45F72207E43C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.090{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.086{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.087{15964E91-144F-620E-D007-000000003602}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:31.536{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54596-false10.0.1.12-8000- 23542300x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:32.329{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4241558A5FC38D02AB9D87D0539447CB,SHA256=7155B3484C0B84B1374F7C5680423015EFE2DB7A6641D1A9C24AACD5307D1989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.428{15964E91-1451-620E-D207-000000003602}68205172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.428{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=219C6A91E4520E7B8A42CC0334CA1D55,SHA256=BB523C686DEFD4D5840D31B957FCE6893E4C26A57A977E4AF15284EADEE9FED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.344{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA8CCD4D0A079A55780AB2E2A14BDEF,SHA256=1323DDEE2431722FD86F36A3EA3040EFC7D24A925CD9E445408148980C54C38A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.228{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.229{15964E91-1451-620E-D207-000000003602}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:33.013{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=393B92648C1459CC7F8E50C4F0D49325,SHA256=F928066788110B548371634918D3315901229AC60E5B75DC6B99F6BE86411A34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.545{15964E91-1452-620E-D307-000000003602}19806900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.380{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.379{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.378{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.377{15964E91-1452-620E-D307-000000003602}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.345{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE4F4755C0FF27B4BAF1DF8CEBC1F13,SHA256=042760D80797534E898F4D3323F0762350C98E9DA0D3DB1B5DF8CBC30123A57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:34.244{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6A218B75515D9069901611FC9DD601,SHA256=3433CE7B29A8A174774D0C51FB57E1E2B6E2092003BF7B786848232B676C200F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.944{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.945{15964E91-1453-620E-D507-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB84AB4340989FC5C6484F997DC9C53E,SHA256=102220427B1E01BA4A12927BC8CF81BEC2F25B22D9D3BC9A96F01505AF36C7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.382{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86D8F2843BA2FF9DBE5908D1937DD77,SHA256=8DCE518FC43C344BF4C0B2A8C99FA2E60F3829C43A8D3371F9457C60F4125E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.297{15964E91-1453-620E-D407-000000003602}46045092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.060{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:35.061{15964E91-1453-620E-D407-000000003602}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:36.945{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB301488A9AB850E4BCD3F048AAED22,SHA256=FECEE4F02012C52C9FA45D80CCAEDCA10015B1E1FA962945274758AEDCEA1733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:36.412{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577992EFB2294A1E37BC0423F36824D7,SHA256=0D313D3670F07C231AFE01E764B09668255C45F9511E68E4FB284A31A15A4522,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:36.706{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54597-false10.0.1.12-8000- 23542300x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:37.413{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F415382CDDD7DBBF69C2FB55C879C4,SHA256=2262F1E277F17DDAE88BE73E57B4AF9811F06F25F37C779BE61E94379DCA6932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:38.428{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1FE72B0DA735751CD48A1AC9EF73F1,SHA256=B0BDEEB517C7F07FF52966085054B8261E93E2AAB5FB3027A8DF56E198239B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.828{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CF37AF06092C1FCC3B04CE73A1303B,SHA256=0DE82D21074A2590F3A0A757CD9A4FCEFA8B8FBDB8D44017729A1EF89E45A636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.178{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.177{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.176{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.175{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.175{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:39.175{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:40.843{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6DBC021EFACD6F87E34DC87FE7A287,SHA256=2BF140BC93879F530498A919C4E096D595289391D7FE9675E12A9501FA1A8E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:41.858{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9A08FB22FAABEF59844C6D4C647C6,SHA256=8F7FE1C0D590064A800130F64562E48FF07562A6843D6BE1C781C8AFB3752E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:42.859{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3059ECF4155279818934D7CE7479520F,SHA256=AFE77F8745D79E2483F3594D54EFCB65446D92010E9EA1F5E1E8E7AC2D1591B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:43.862{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B2B3AF489C4D0FC240A20D6EE8BD10,SHA256=8B57071CC6CF32860523F9DBF15ADF608157D41EF1BE7AE0FB5DC3516E2AF702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:44.883{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A2496F8EE026798415B6F4A6E312BC,SHA256=005CBD1DD47AD30F03022B5D3CA66AD39787606347D9F67A20D2577664DD8B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:42.619{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54598-false10.0.1.12-8000- 23542300x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:45.898{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9248F0293E1B04C7305D7CEA1F7AD569,SHA256=60C67391113D536A317D1B711F7DCDF5951B7649A88A6CDFFC939D07F34AFBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:46.912{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D5A5C9326309010F9CACB49FEA2787,SHA256=EF546E378BA59A5B2E961387CAB1A3B07FF99DBA45AABC77BD1D93ADCED86C64,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:47.945{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.134.143744597C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.930{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A75DBF5B4F8F2559A7EEB59326E1D7,SHA256=926978B1B9B75788BDC084516F8DBED74706A5A5C0D1D077BFA31911D32A286D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.898{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1374-620E-B107-000000003602}6224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.883{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1385-620E-B207-000000003602}6624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e48048|C:\Program Files\Mozilla Firefox\xul.dll+e363d1|C:\Program Files\Mozilla Firefox\xul.dll+4218b14|C:\Program Files\Mozilla Firefox\xul.dll+243d6f0|C:\Program Files\Mozilla Firefox\xul.dll+98726e|C:\Program Files\Mozilla Firefox\xul.dll+948901|C:\Program Files\Mozilla Firefox\xul.dll+18f18d|C:\Program Files\Mozilla Firefox\xul.dll+98a737|C:\Program Files\Mozilla Firefox\xul.dll+43751f6|C:\Program Files\Mozilla Firefox\xul.dll+95183a|C:\Program Files\Mozilla Firefox\xul.dll+95d654|C:\Program Files\Mozilla Firefox\xul.dll+95c47e|C:\Program Files\Mozilla Firefox\xul.dll+8959ca|C:\Program Files\Mozilla Firefox\xul.dll+82af27|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e 13241300x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:24:47.128{15964E91-0551-620E-1200-000000003602}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d823e0-0x34b3ef34) 10341000x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.985{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.984{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.974{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.974{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.958{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-46C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:48.958{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-46C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.946{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.946{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.942{15964E91-0D69-620E-C206-000000003602}6692\chrome.7132.136.8143004C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:48.942{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.136.8143004C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.942{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19fd0bf|C:\Program Files\Mozilla Firefox\xul.dll+19fb95b|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.942{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.135.197757520C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.938{15964E91-0D67-620E-C106-000000003602}71323292C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12332b|C:\Program Files\Mozilla Firefox\xul.dll+121a9ff|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:24:48.938{15964E91-0D67-620E-C106-000000003602}7132\gecko-crash-server-pipe.7132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.910{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e38491|C:\Program Files\Mozilla Firefox\xul.dll+e46718|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.910{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a99af|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19fb56f|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.906{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.902{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.902{15964E91-0D67-620E-C106-000000003602}71326696C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d6d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff95|C:\Program Files\Mozilla Firefox\xul.dll+205542a|C:\Program Files\Mozilla Firefox\xul.dll+9a599e|C:\Program Files\Mozilla Firefox\xul.dll+9a3b55|C:\Program Files\Mozilla Firefox\xul.dll+9aa7de|C:\Program Files\Mozilla Firefox\xul.dll+83735d|C:\Program Files\Mozilla Firefox\xul.dll+16af1e9|C:\Program Files\Mozilla Firefox\xul.dll+16ae34a|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+83a0fb|C:\Program Files\Mozilla Firefox\nss3.dll+6b2c|C:\Program Files\Mozilla Firefox\nss3.dll+8feb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.902{15964E91-1460-620E-D607-000000003602}5300C:\Program Files\Mozilla Firefox\firefox.exe97.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7132.135.1977575200\1030004819" -childID 47 -isForBrowser -prefsHandle 8112 -prefMapHandle 9060 -prefsLen 14938 -prefMapSize 242227 -jsInitHandle 1064 -jsInitLen 279340 -parentBuildID 20220202182137 -appDir "C:\Program Files\Mozilla Firefox\browser" - 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 5128 27b9fed6e48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272LowMD5=483C957E78DC5F376690F2A723122472,SHA256=D6BBFEF307CEF9D87BA5D40AC14315545CEFBBDECF705912C52C848EEBF8649D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.898{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.894{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.890{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:24:48.887{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.135.197757520C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.391{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\cache2\doomed\16757MD5=2D1E43EDFD81AC28BA73EBF549539ADE,SHA256=A7CF371E5FBF01DF51ECD4150AE4A3EA68C820AB289F43EBFCE8CC4E97FA0409,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:47.998{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1385-620E-B207-000000003602}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.952{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39738B9DCAD73C4E0A3F2E1EE72C369F,SHA256=BB2A54B54A6C9ACB60BA54F48A2E32E5C178345ECF8AEA579B4AD06EE0C27BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.904{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5445C09E66BDBA644A3BD0E227AD0051,SHA256=FB07D05B4FD532BBF5BC218B668224E684B2D6F45F565F37D8D7868579CCD142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.904{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77BE8C341179F041B0E7FF5984355AE,SHA256=B7F69651C43B0854DD352B081CC97726BE42D98EBCAB7660DB8D3A44AB32B527,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.001{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53869- 354300x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.948{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local55872- 23542300x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.363{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5438216534AAA421C4FB54DA4C3E40F7,SHA256=E5BE2CF6869AAA1B7B0AD3DDA72D9F4BFE1099749C1B8692845D233DFFCAAA56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.578{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54599-false10.0.1.12-8000- 23542300x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:50.957{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC11C4153863C090E9B6FE19928DB7AD,SHA256=BF69C9BF422F47DC76C57A4A11CAA0BF90FA8B3168BE9E3AA6058E89C2693B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:50.489{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\permissions.sqlite-journalMD5=91289A9A2E9976D3D44052D7ACCCBDC2,SHA256=43F1D42C0DB6B73D8D19B3B494B1884ECC5F6F9E227E8B2894CCC8B4DD111611,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:48.454{15964E91-0D67-620E-C106-000000003602}7132plus.l.google.com02a00:1450:4001:830::200e;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:49.006{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63892- 23542300x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:51.958{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B9A1642E83CC9BEB6D2F2B0A11277,SHA256=FF6B486499C9BC9B2AAD34D95EC899650E418458AC1CDD7B851E88A0621DB30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:52.964{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FA30634485B52FD3F950AC69A73D1A,SHA256=12B2F64DF3F35EBE6ADE935899B132E33FBF0F20F918783D6E2F9A568A32E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:52.875{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\cache2\doomed\1675MD5=AB4BA165721E9BAE1DABC0C5EBF50F22,SHA256=4A721E2DCFF5C94AC8FDF9E12EE54965454AFA185EC41BB701B55F32E7B4B03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.969{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93375C8930E814CED5F7887EED7E55,SHA256=C56B0F37C28AE33143395F0285181D6CD70F2BDD93B87467FC4077E02C9E2544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.376{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-walMD5=53FA19F1532783027FC26B19F0CC73D2,SHA256=FE79E7DEEF38234BB7F1296BD4C48534E7319E90FBF9F32CE7C35288A37CBC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.372{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-shmMD5=5924998FEEE62F61B766985F27E86395,SHA256=A26A27AE3F55C554FCC25912C4BACF64A4FB061DF227312D2A587232A3B07E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.368{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=A5C1223AEABB753B4DFC254312297850,SHA256=B7576F38654027908EF5AFECBD99AF74C5AB658A2E08A550E92AED36A7A8CAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.352{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++www.google.com\ls\usageMD5=C26F23E43A33D3A50EB716E5AA8FF1B2,SHA256=291C3CA5526E021864E5FF85DCD614703DC035BB8DF5B68326568A6033AC4FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:54.970{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5A682DECA400B176A9EE92D8777ED2,SHA256=B6F2C5F2742CC22D31EA600C1A1DF1C0224A7CB7C885069E61BEBF2BD17E8ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:55.972{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DBE9F24FBA3CD4387BFA392C3B0333,SHA256=C84921758D62EFA6F5034380F10BBCEA8F3B1A16E8CDB5805067B5ED4DEBF979,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:53.678{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54600-false10.0.1.12-8000- 23542300x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:57.077{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7DBC5C3F8477D3B825744BE60E87B1,SHA256=9296B1A9FCE3A46610A65CE974EE86E494FF37CE520463FE20C1BF240FC89135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:58.079{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6204FEEA0BD0E24949FB21257E4F0D0E,SHA256=C126F95B6E01F9C502460FBAAB2561CDD5ED7251A13E6124166E25B9E169EC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:59.091{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10A3B682A01D672E5BA353C3A267BFC,SHA256=859DD364F3E644AD4684BB78EA7B177A0183A7D32089E25B48DD55D7ED76F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:00.116{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2FDCF9EB65B817C7A11AF98969F151,SHA256=8A3E55DDED9566BF247CAC343CF756C78CD4A337D2D6FAEB460D0D8D4250300D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:01.121{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AD205974433235CA7A9209B425303B,SHA256=F4910BF45A0A261998EAA0492E1B5EC68B4F2F1351A2FE395BD1EBA50657B342,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:24:58.739{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54601-false10.0.1.12-8000- 10341000x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.782{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-1428-620E-CD07-000000003602}5568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:02.512{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.137.202538484C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.501{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1385-620E-B207-000000003602}6624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.492{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1428-620E-CD07-000000003602}5568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e48048|C:\Program Files\Mozilla Firefox\xul.dll+e363d1|C:\Program Files\Mozilla Firefox\xul.dll+4218b14|C:\Program Files\Mozilla Firefox\xul.dll+243d6f0|C:\Program Files\Mozilla Firefox\xul.dll+98726e|C:\Program Files\Mozilla Firefox\xul.dll+948901|C:\Program Files\Mozilla Firefox\xul.dll+18f18d|C:\Program Files\Mozilla Firefox\xul.dll+98a737|C:\Program Files\Mozilla Firefox\xul.dll+95183a|C:\Program Files\Mozilla Firefox\xul.dll+9545f1|C:\Program Files\Mozilla Firefox\xul.dll+95340e|C:\Program Files\Mozilla Firefox\xul.dll+952787|C:\Program Files\Mozilla Firefox\xul.dll+95c8a2|C:\Program Files\Mozilla Firefox\xul.dll+8959ca|C:\Program Files\Mozilla Firefox\xul.dll+82af27|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf 23542300x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.126{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C84D0B814324590BB44A035842BE7,SHA256=99B62597F5DFA639C14FA5338270994DF99E6A5E4A6980D28539164DCE660942,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.082{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54603-false185.199.108.154cdn-185-199-108-154.github.com443https 10341000x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.603{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.603{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A427053121DDA88F8EBBC9C439BD587,SHA256=63E4E8604FD6BFA83B4D53B966397E8FFA430C9C5892BDF8A68EDDBA8C67673D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.603{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.587{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.587{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.563{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-47C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:03.563{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-47C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.543{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.539{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.539{15964E91-0D69-620E-C206-000000003602}6692\chrome.7132.139.51696225C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:03.539{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.139.51696225C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.539{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19fd0bf|C:\Program Files\Mozilla Firefox\xul.dll+19fb95b|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.539{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.138.147582663C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.535{15964E91-0D67-620E-C106-000000003602}71323292C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12332b|C:\Program Files\Mozilla Firefox\xul.dll+121a9ff|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:03.535{15964E91-0D67-620E-C106-000000003602}7132\gecko-crash-server-pipe.7132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.515{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e38491|C:\Program Files\Mozilla Firefox\xul.dll+e46718|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+19de1b3|C:\Program Files\Mozilla Firefox\xul.dll+16b00b5|C:\Program Files\Mozilla Firefox\xul.dll+1a05d93|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.514{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a99af|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19fb56f|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.509{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.508{15964E91-0D67-620E-C106-000000003602}71326696C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d6d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff95|C:\Program Files\Mozilla Firefox\xul.dll+205542a|C:\Program Files\Mozilla Firefox\xul.dll+9a599e|C:\Program Files\Mozilla Firefox\xul.dll+9a3b55|C:\Program Files\Mozilla Firefox\xul.dll+9aa7de|C:\Program Files\Mozilla Firefox\xul.dll+83735d|C:\Program Files\Mozilla Firefox\xul.dll+16af1e9|C:\Program Files\Mozilla Firefox\xul.dll+16ae34a|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+83a0fb|C:\Program Files\Mozilla Firefox\nss3.dll+6b2c|C:\Program Files\Mozilla Firefox\nss3.dll+8feb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.507{15964E91-146F-620E-D707-000000003602}5032C:\Program Files\Mozilla Firefox\firefox.exe97.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7132.138.1475826635\350638408" -childID 48 -isForBrowser -prefsHandle 7212 -prefMapHandle 5132 -prefsLen 14938 -prefMapSize 242227 -jsInitHandle 1064 -jsInitLen 279340 -parentBuildID 20220202182137 -appDir "C:\Program Files\Mozilla Firefox\browser" - 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 6464 27ba2207548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272LowMD5=483C957E78DC5F376690F2A723122472,SHA256=D6BBFEF307CEF9D87BA5D40AC14315545CEFBBDECF705912C52C848EEBF8649D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.503{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.499{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:03.495{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.138.147582663C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.524{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54602-false140.82.121.4lb-140-82-121-4-fra.github.com443https 23542300x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.139{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A158B9346D7ABB9DE52639B80708CAB,SHA256=7445E502E4263E0D572589077CD0C77AC6A3B04CEF152AD697D75F1D8D5A6790,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:25:03.122{15964E91-0551-620E-1200-000000003602}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d823e0-0x3e3c6dfb) 23542300x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.340{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E125007A77B617EECFA6D4249D6519F1,SHA256=723FE25F6C8CB2042664E1ACF0F9BA213624B6D2ADB50B4ADC46934233CE989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.337{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5445C09E66BDBA644A3BD0E227AD0051,SHA256=FB07D05B4FD532BBF5BC218B668224E684B2D6F45F565F37D8D7868579CCD142,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.580{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local65002- 23542300x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.152{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8283B8B11A8704D069A48B395B46687F,SHA256=F7E85541D0095E396E69E345534A1B24658711761B730795F4F0FAB493EAFEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.088{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\permissions.sqlite-journalMD5=D6FF8624453F1428093072DECC9A125F,SHA256=6853441A9553E1C89D32F30A8C49686DBCD87860B6C7963E7095EDE705976217,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.814{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54604-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.814{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54604-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.696{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local50113- 354300x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.695{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local51224- 23542300x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:05.171{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BE97E630EFA5E25B6E4EC410E5ABC9,SHA256=812D7A00B580276418D120B41CB0A546F1BFBA361FF88A42DFB5ADD7F1710B98,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.095{15964E91-0D67-620E-C106-000000003602}7132glb-db52c2cf8be544.github.com0140.82.112.22;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:03.095{15964E91-0D67-620E-C106-000000003602}7132collector.github.com0type: 5 glb-db52c2cf8be544.github.com;::ffff:140.82.112.22;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:02.029{15964E91-0D67-620E-C106-000000003602}7132github.com0::ffff:140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:06.514{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:04.725{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54605-false10.0.1.12-8000- 23542300x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:06.172{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFD615B28270D7C654427E797B9D4D3,SHA256=648C5422DF5BF30944E4EAD30929C754386FC5BA837CB869EFCB3F9918C96952,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.261{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\AlternateServices.txt2022-02-17 09:00:07.216 23542300x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.261{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\AlternateServices.txtMD5=A05B832A4EB7D67CFEA7DA42987F9C5B,SHA256=D58748964A08D2A88805C8DE04FC6437FD938813568509D8141F0B22DE6668A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.173{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EC7CEAF7C912B38ADB9A413A7B3789,SHA256=E9AC4055820620B17B54E6BAC9AE3386A3B3CE61FA53E498202EDDBBA5EE23E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.133{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\SiteSecurityServiceState.txt2022-02-17 09:00:07.085 23542300x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:07.133{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\SiteSecurityServiceState.txtMD5=90301954A2A947DD18BDACC9FD8805FE,SHA256=17E80BC32F7406E0C14525D5F4C6F0507D4E1D067572EC2F10AB65FCCA2244C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.322{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.321{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.321{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3b3653.TMPMD5=D8C7802F2F86D4A8F084F94C507AC3E3,SHA256=2BE27CA4C8487C0A57B8EEB413DBB09EB2843929F23BE9294110B7F017ABB192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.178{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3D6E971E160B8E82A34A39BF3C9CD2,SHA256=9DF77A0E8C986C41EAEB7531F22E80F7296FFD7EB59FEFC143EE94202BCA3142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.134{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-walMD5=9109665C157B8B62D599766A18DF7321,SHA256=B1A3187F26330588A3B3387047D301FB8450567BBE5A9F989E2D2D283C879C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.134{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\webappsstore.sqlite-shmMD5=BDFE5F5F64F478B3FFB188D610B39091,SHA256=C030B33C07A8E6B7E00F56A39642707A0E8258F5274EDDBB99E71B5198C2AD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.130{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=864E8DA849524FE90A7EC629E78646C4,SHA256=3737E3ADBDFA9C981955AC7FFC37CFD32DAE4D4BCAA45A010A90C6D2C7CB328A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.114{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=10DB1AC75FBF79C2001CF127113481EA,SHA256=621B8864C4D868A9560DB8A230029319607D2D5D47D44C7572D19CFDE282575B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.106{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=98D550DC1D38AC8D653CF26282BD0718,SHA256=358DDCA401D78AD79B182D571497A7B5FDABF66B30F120237FD0FEA204BA0600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:08.098{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=B4815B7E1EF73DAD62740190D7275D60,SHA256=3C289B6A4700DB2CF2FA99CFFB6007CC944DCBDAF8777DB6CF2F7CB65DB6B283,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:06.989{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54606-false10.0.1.12-8089- 10341000x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:09.255{15964E91-0551-620E-0D00-000000003602}8804684C:\Windows\system32\svchost.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:09.179{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C15DCCAE2FD0EC7776F7F6C791EFD0F,SHA256=98BFD5CECCD4A5F6D56E189FA95B5D59F3D87D50695DC52A8147E0D09231F9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:10.196{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367E1D781509DF502E1B1D9506541135,SHA256=2D0ED23C4FA23ED64804D5AEAE4E83B0BD0D28A33150101483B280A92F92D96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:11.198{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F1B094BFC34FC3EC79EC35CD196A4,SHA256=B1964D4AD2A79F6A512E1D66B68A08AD43A869F9E8C68DE5625D4B7E8E77C4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:12.200{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48517FA6A72B6B43E468B116F6852142,SHA256=7B7DA8D8115F9B8B2C9B8A706BE2859825FADF3D3A038F1CECEC6A5BB78442A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:10.681{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54607-false10.0.1.12-8000- 23542300x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:13.206{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6761F675CDF39DDDD80E7EF096B08406,SHA256=074D1AAC19F907937035354C0BDEFD26EFBF4870114F0B84B00CF523FED226CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:14.207{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181FBFC3D81AB388A4EA0B853B32D17B,SHA256=E898F669BFB01BEDB95A15472D3101365E0CADC330FFD39AC9E9926BF4EB7463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:15.216{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAA0C107A732E8088479FE7746C63E6,SHA256=8FA08A4617862E0D921A1D67E47543B1DD0693BDA02254BE8770A0A51E5037D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:16.218{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581EF9DC403D5BE20112DBB50DA9B934,SHA256=89602D5E79BE0CB3A5B2D670033FFCD3D9732E62F9209F7EAFE0C86DED3978F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:17.220{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54808B4F6A4831D0FCBDB3668F8847,SHA256=E9896596DE69C862341E0548EF2D6DF78EC0500AB1B09938A37D9D2D6457E147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:18.223{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52416C60ED76227BAFAA0EF218CAB225,SHA256=2BABC9E41A5B7FE87C4427CA966A02B69AA0E92400305DE9FB1D2C0E50383943,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:16.586{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54608-false10.0.1.12-8000- 23542300x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:19.494{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:19.494{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6CC0C8CC9654494D3006707B5EEB4411,SHA256=FFFC8D088DF0BFD9F172A3B4DC21A4AF76C788CC79ED65583FD45EDC36C51591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:19.226{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89728333E10809491CE7AD069139CC81,SHA256=DBEFF74BFFF53CEFAF691F2CE79120DA5EAEDD9F32A35429ABC1E5DCE319AFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:20.240{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A564C790A7BFB9789968679DDF8202,SHA256=A0A89B033A8CA280EE6CC593F9DCD35E466C3F16366C7D356577F91CE4913D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:21.299{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996E2FCAFF24066B64833A7DC905BDB4,SHA256=D50A6F074C4DCBFCFBCE2167CA798D2A75DBA308103435D000A600E59830A3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:22.303{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FD037C6736560AF9BA5878A69229F9,SHA256=E7638F3241A28BC315CC8B452EEBBD63E124C8EA0814E773DE4AB3A21833597B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:22.591{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54609-false10.0.1.12-8000- 23542300x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:23.312{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F218493CC25C6126ED4C83AC246EAA,SHA256=FFBD52CDC5CC8FC70187444B2779922873548FAB1DB656E8B894609030E7B73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:24.343{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A929AC5B44CD08AD90E6B0BBF22010,SHA256=782B00DFEB05A83791EBE63D57C59147F74AFCD5FD3F317D695B77E379F431C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:25.347{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689F37E0DE22FCFDDD190EC5806EDAD0,SHA256=4C745B9CD0F99392BA271BAAD217CD213E45FEB471000960A7CBCDC793EE36F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:26.634{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\respondent-20220217082052-062MD5=5CDEFFEB9D405321091B6D567D00213B,SHA256=694D3E29A1B4A6F1E67ADE1AE836583F1FB15D03FD159997E24992AEAD1D69F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:26.377{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6F208A09F734BFF8E5E85A2878EFF0,SHA256=61E3A901A3DAF934AA413071F767104DAF428E8F67131FA1E3F999F5522160B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:27.634{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\surveyor-20220217082050-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:27.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5EEBDED913C70339D0E1138F8A216A,SHA256=6FE18C973D931AE3CB32927BD82E482A4A662E4C3B4E13D8CA0D08A1E6FDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:27.725{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54610-false10.0.1.12-8000- 23542300x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:28.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9686F20DA0B922E7EB4B3CB21D0675,SHA256=C0860FE14CB9D67ADEE1F60F0812A2DDC7A93569393A4128CCEE88663C9E16BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:29.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A84CCC16EEC7E09E8438818AC36211,SHA256=5B31155608DBD005EA921CC845F815A9BFD9F09BFF6822F4C49DD617CA94443E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.432{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.433{15964E91-148A-620E-D807-000000003602}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:30.397{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93668C044ED3B4C24CEF7BB5C9EC6B,SHA256=3B99E1DED9338E6FE45E726AFF7B0B59284BFCA745682EF7BB7E7CF6779351D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.983{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.984{15964E91-148B-620E-DA07-000000003602}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C5D3F9603BA52FE3A2AFE98ECC7361,SHA256=FFF8333B061B8646FC27D9116FE151AAD6217D45A0B2002DB4001F6D737A9FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E125007A77B617EECFA6D4249D6519F1,SHA256=723FE25F6C8CB2042664E1ACF0F9BA213624B6D2ADB50B4ADC46934233CE989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.405{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2970FC7835635A7BBD9966CD563185,SHA256=F0AF8010B0F940A203A5396778B2ABD77B7BEC02248A5E85E1A18DB5B2D93A1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.321{15964E91-148B-620E-D907-000000003602}51965516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.105{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.099{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.098{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:31.097{15964E91-148B-620E-D907-000000003602}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:32.420{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8378810A77C37F28422EB5FAC697EC2F,SHA256=6C196084229DD8ADAA82DCA3C73A7D6BA607593C8C0FA6F59F7E08649499B605,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:32.913{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local62706- 23542300x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.444{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4F53202D1D416B9183941E7409C06,SHA256=49E7689227A681CCC4C97A6464563A94D298D73FB19ED5D22365D0965CB395AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.430{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FCCCAD37888A28013B2945325D1FEB0E,SHA256=91E2AD87B7B637281D95A5208EBD93C3B5F45278D2EE5161975339107733A5F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.412{15964E91-148D-620E-DB07-000000003602}34646188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.235{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.236{15964E91-148D-620E-DB07-000000003602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.051{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C5D3F9603BA52FE3A2AFE98ECC7361,SHA256=FFF8333B061B8646FC27D9116FE151AAD6217D45A0B2002DB4001F6D737A9FF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.648{15964E91-148E-620E-DC07-000000003602}42084392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:33.612{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54611-false10.0.1.12-8000- 23542300x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.443{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0D002CFB87DBED376EB9BDAD2063F6,SHA256=593579811DB08F87DB63A7960608A4C3F28F6A92EAEEDED1F00F88265827DBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.390{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.391{15964E91-148E-620E-DC07-000000003602}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:34.290{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CA697A6AF03F7390D6364D5795D135F,SHA256=8FD6C27C67948804DA61097535E25FD0137106338E3EC8E62AB0E7B1D4D8D5D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.949{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.950{15964E91-148F-620E-DE07-000000003602}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.465{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E945E747BA41695EE85BE764C1C5B056,SHA256=34FEB2944D6355D8DFDE528E0F298958A5C489427245A8D23022C088943D2D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.431{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A677B32CDFC171DA1DB90A8C1761DD64,SHA256=E383777BA3699F152FF9958F2A28175C043851D75BF575165C0DB4063E709A63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.317{15964E91-148F-620E-DD07-000000003602}21524256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.061{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:35.062{15964E91-148F-620E-DD07-000000003602}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:36.995{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BE8BA1C88061ABA6954ED1BEDD050A,SHA256=908A60238D060B5D119AF6D22B0DC49073A735ED9A8DDE5F23CBF0200C6E9699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:36.480{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F829B135FD688C6D176A00CFA8F9F,SHA256=E6A65604E133526E36B9C17439B1D0F9D2F4E7E40EBA151CE51A49584F07F78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:37.510{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74152774DC443811F53CEA991F20D12,SHA256=586CFD61851C00BB1C5B3F92235EBF712C7FE6C4497E8BC869CD9A9BD0CD0158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:38.527{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767396993857000D7B13A38C4C525EB2,SHA256=4E54E0FDD41A24C5D1BFAF179B3045BB20446F394CED490F65BC36A4760D17BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:39.546{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B086AC13A1A3A8600B27E319AA4F5,SHA256=9ECA1B3D7817E407E54CA9D78C90A41E13A9DF3BAA5A2076680DB1FA67DB8EFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:38.720{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54612-false10.0.1.12-8000- 23542300x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:40.577{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A71F7B978162CA8691C98CF09AC552,SHA256=87579B19868A4954AAC41C04AD8316EA58220725C679369703A0842C5439B41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:41.592{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5E124847E0DAA000280481A38FC3D8,SHA256=61136FE323D180A1200E7AF38EA2B71C2615ED26118E79A427B0DA2F6447C66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:42.606{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0063DA1242B5A0C12F93A0F90B7E6A63,SHA256=C0135E0AD44A1EB2AC2055502889F0A723942E8BC46FEDD7806A629714D4EE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:43.624{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120CDF2F0F07279C38BA0ECD9A92431B,SHA256=32C25A299A128260D7565A15F4B075627F5AA3CA007621297050A0ED524C8EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:44.643{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFD4B7CB8A287766A3A0306DCB53A2E,SHA256=4703015D9724D45EFD26C35C572660CB06CBDFDB92B2AB760C2921B8113A2DB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:44.635{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54613-false10.0.1.12-8000- 23542300x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:45.659{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA05A4B873DA0B065FF36F441C071C0,SHA256=A86570AE3322E1DA4B9F964DC4C33A2D1804838391AE80B8B6AD156C5E4DE274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:46.674{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4631D99E1C69FD41FC09786302425E,SHA256=52D24B538A88EB3A79B14AFEF6D02957CF30B08F035C6F17787F4759A5829E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:47.690{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E339845994C2F2BF6483D2EB9E0F66,SHA256=080770C03B2D7F34BE6673B2EE7AB84D16B9DF32E1EDB0541B9CD220941D29D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:48.699{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0481B2CC077D5AF9E302982D57EC591F,SHA256=A483E7A3548B438DF1C05650D7254D4EA2819CCE03EEE377786A546FC8385FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:49.722{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF9F31919473BA4C09D62E03322B2,SHA256=874FB22FFFBFAC9EADE5B077398593F1F89974A605764A39AADCBFBF9A82B796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:50.742{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22165DECEE2E1B9AE8F8109744ED1DF2,SHA256=AECA2476D42B7B9AE1F5AB720D47B7FABE4FDD163BE2742D3B473FBF44CBF391,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:50.648{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54614-false10.0.1.12-8000- 23542300x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:51.744{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B3CB266AB205EFD5F6D284722FF376,SHA256=0DB88C0A6A3DB6CF755CA48D0BF0801A30F94E9E5204AEF22B9456DBE9A939C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:52.745{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFA759F41EA38402A4C7F05773FF42E,SHA256=66E45B3660D57474244C5ADE70EA4FFF0B28EDD25DE9B30BB172EE591E3BB7E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:53.746{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DC84724F4F1CD4DEFE23A28952A20E,SHA256=7282C348F91472ECB90B326FA72C562678A49977A5587467CE5D94CB28F8BBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.760{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19FDEF34D344883DEDD86B10A6A6F52,SHA256=BE4B428E946A7C46F69E4D7DE1B086464E5D85660D219FC332017CA1661D2DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.807{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744A13182054B655C416B094F354D4ED,SHA256=636052CA43407D7F18006608B19D5347450D8C61BC4B9348D507D7209D49E162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.129{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-143F-620E-CE07-000000003602}2588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:55.091{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.140.84656755C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.060{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-1428-620E-CD07-000000003602}5568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.060{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-143F-620E-CE07-000000003602}2588C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e48048|C:\Program Files\Mozilla Firefox\xul.dll+e363d1|C:\Program Files\Mozilla Firefox\xul.dll+4218b14|C:\Program Files\Mozilla Firefox\xul.dll+243d6f0|C:\Program Files\Mozilla Firefox\xul.dll+98726e|C:\Program Files\Mozilla Firefox\xul.dll+948901|C:\Program Files\Mozilla Firefox\xul.dll+18f18d|C:\Program Files\Mozilla Firefox\xul.dll+98a737|C:\Program Files\Mozilla Firefox\xul.dll+95183a|C:\Program Files\Mozilla Firefox\xul.dll+9545f1|C:\Program Files\Mozilla Firefox\xul.dll+95340e|C:\Program Files\Mozilla Firefox\xul.dll+952787|C:\Program Files\Mozilla Firefox\xul.dll+95c8a2|C:\Program Files\Mozilla Firefox\xul.dll+8959ca|C:\Program Files\Mozilla Firefox\xul.dll+82af27|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf 22542200x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.853{15964E91-0D67-620E-C106-000000003602}7132raw.githubusercontent.com02606:50c0:8001::154;2606:50c0:8000::154;2606:50c0:8003::154;2606:50c0:8002::154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.852{15964E91-0D67-620E-C106-000000003602}7132raw.githubusercontent.com0185.199.108.133;185.199.109.133;185.199.110.133;185.199.111.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:54.851{15964E91-0D67-620E-C106-000000003602}7132raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.828{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E2A63567A24A0805D1968DFF1F5D3B,SHA256=21F91256E76CC9D721A1F357CB0A76D74B5505102E9D7F357FA38DEB08914FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.260{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0247F62A35774954D58E1FE049E9A0F,SHA256=D3029F68E4790D1A01F45A297398B713D6AB335C438B370EC5925BBE092071CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-0551-620E-1200-000000003602}4161700C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.160{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.144{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-48C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:56.144{15964E91-0D67-620E-C106-000000003602}7132\cubeb-pipe-7132-48C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.128{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.128{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.128{15964E91-0D69-620E-C206-000000003602}6692\chrome.7132.142.19077362C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:56.128{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.142.19077362C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.127{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19fd0bf|C:\Program Files\Mozilla Firefox\xul.dll+19fb95b|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.127{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.141.82500612C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.124{15964E91-0D67-620E-C106-000000003602}71323292C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12332b|C:\Program Files\Mozilla Firefox\xul.dll+121a9ff|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-ConnectPipe2022-02-17 09:25:56.123{15964E91-0D67-620E-C106-000000003602}7132\gecko-crash-server-pipe.7132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e47659|C:\Program Files\Mozilla Firefox\xul.dll+e38491|C:\Program Files\Mozilla Firefox\xul.dll+e46718|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+19de1b3|C:\Program Files\Mozilla Firefox\xul.dll+16b00b5|C:\Program Files\Mozilla Firefox\xul.dll+1a05d93|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0D67-620E-C106-000000003602}71322220C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a99af|C:\Program Files\Mozilla Firefox\xul.dll+7cb4e4|C:\Program Files\Mozilla Firefox\xul.dll+19fb56f|C:\Program Files\Mozilla Firefox\xul.dll+12bc5|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+127a7|C:\Program Files\Mozilla Firefox\xul.dll+991801|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.091{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-0D67-620E-C106-000000003602}71326696C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d6d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff95|C:\Program Files\Mozilla Firefox\xul.dll+205542a|C:\Program Files\Mozilla Firefox\xul.dll+9a599e|C:\Program Files\Mozilla Firefox\xul.dll+9a3b55|C:\Program Files\Mozilla Firefox\xul.dll+9aa7de|C:\Program Files\Mozilla Firefox\xul.dll+83735d|C:\Program Files\Mozilla Firefox\xul.dll+16af1e9|C:\Program Files\Mozilla Firefox\xul.dll+16ae34a|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+83a0fb|C:\Program Files\Mozilla Firefox\nss3.dll+6b2c|C:\Program Files\Mozilla Firefox\nss3.dll+8feb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d4d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.090{15964E91-14A4-620E-DF07-000000003602}2212C:\Program Files\Mozilla Firefox\firefox.exe97.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7132.141.825006121\1029226927" -childID 49 -isForBrowser -prefsHandle 4532 -prefMapHandle 4348 -prefsLen 14938 -prefMapSize 242227 -jsInitHandle 1064 -jsInitLen 279340 -parentBuildID 20220202182137 -appDir "C:\Program Files\Mozilla Firefox\browser" - 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 6840 27b9b6f6a48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272LowMD5=483C957E78DC5F376690F2A723122472,SHA256=D6BBFEF307CEF9D87BA5D40AC14315545CEFBBDECF705912C52C848EEBF8649D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.076{15964E91-054F-620E-0B00-000000003602}608648C:\Windows\system32\lsass.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:25:56.076{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.141.82500612C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.890{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-0D69-620E-C206-000000003602}6692C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+ecbfb2|C:\Program Files\Mozilla Firefox\xul.dll+ba1e22|C:\Program Files\Mozilla Firefox\xul.dll+271672|C:\Program Files\Mozilla Firefox\xul.dll+27144a|C:\Program Files\Mozilla Firefox\xul.dll+ee484f|C:\Program Files\Mozilla Firefox\xul.dll+1b43a7e|C:\Program Files\Mozilla Firefox\xul.dll+1b46e28|C:\Program Files\Mozilla Firefox\xul.dll+17a6989|C:\Program Files\Mozilla Firefox\xul.dll+17a5e25|C:\Program Files\Mozilla Firefox\xul.dll+3b58399|C:\Program Files\Mozilla Firefox\xul.dll+3b58864|C:\Program Files\Mozilla Firefox\xul.dll+3819cf0|C:\Program Files\Mozilla Firefox\xul.dll+2eecfb4|C:\Program Files\Mozilla Firefox\xul.dll+1732f27|C:\Program Files\Mozilla Firefox\xul.dll+1bed0db|C:\Program Files\Mozilla Firefox\xul.dll+17b963c|C:\Program Files\Mozilla Firefox\xul.dll+1859fb3|C:\Program Files\Mozilla Firefox\xul.dll+2e8c45|C:\Program Files\Mozilla Firefox\xul.dll+e5537e|C:\Program Files\Mozilla Firefox\xul.dll+2e7898|C:\Program Files\Mozilla Firefox\xul.dll+e52c58|C:\Program Files\Mozilla Firefox\xul.dll+1a1311 354300x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:56.667{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54616-false10.0.1.12-8000- 354300x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.349{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54615-false185.199.111.133cdn-185-199-111-133.github.com443https 23542300x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.843{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A692EA6C0F45038B51EC4B1ED5F635FB,SHA256=6EFEDF8D6C171A99C8BA1F88238011EB1C538D30D089FA13B91390DA79458AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.348{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63651- 354300x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.348{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63641- 354300x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:55.346{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local49638- 23542300x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.091{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE7684D78636CB02FF55E01A1E83ECA,SHA256=6FF8547BAAF5F2DB8AFADE55CCBF893149D8A75FB5DDDED867E4F5F68CEF0AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:57.091{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAE878B1F3AFE6010EB782825E3D9D6A,SHA256=942A53225D94C4F6BAEC1CE182AB2233866D32ECC56105EC61996720EC3315EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:58.845{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42647733AAE68F98DE8A893AD17EF0B5,SHA256=0B7E36E91B8346014398357DC7F3ED9B4BAF99877A93111C7CECBA8E244A9041,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:58.365{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local65125- 23542300x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:25:59.860{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A5D533D176FC47E20E681D333BC8E1,SHA256=EC3A62CFFC97FADC93149D1E67187649DBADBF30C0D8DF880FEC819A67ECB29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:00.876{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB181574F83CC26B6C4B038EDDCF8DB1,SHA256=A736ECEFFC2E1741F72BEABE06A9142E4BBAF7F92F3125245FB04658064BB186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:01.907{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85428B4C28B62A44A27EAC0A9E0641,SHA256=68734E0139E0E83E65D69F5DB0C4C97E535BB95E1B30B4F8DBCE188564EF5B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:02.907{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AE842FE0FB70A46F5BF434ABEEAEBE,SHA256=FD9D01598CF75451C535544B4C7BD5B63A6D21BDC8F420FCE2DBA9A970FEA1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:03.924{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402A8C9A36322BA746E94904A9ED65EC,SHA256=9C76B597FC9D0D13E48E09EC760431FE6C240721F8E483F9732FD3461567D45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.945{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA60A6ADD6F00BDA998793B883F3227B,SHA256=0CAC40F6DD577074D55E50E6B76D866CC6D64E86A3EE157735A1DC07523CD673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.375{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A73194030E8AD4D80DA18A17F485FF,SHA256=C52EA6EA1454650C2609C0425781E035ACB47A2822DCF7224E8910CC6DD6E440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.375{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE7684D78636CB02FF55E01A1E83ECA,SHA256=6FF8547BAAF5F2DB8AFADE55CCBF893149D8A75FB5DDDED867E4F5F68CEF0AC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:01.714{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54617-false10.0.1.12-8000- 13241300x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c10c5) 13241300x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d823d8-0x00957e22) 13241300x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d823e0-0x6259e622) 13241300x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d823e8-0xc41e4e22) 13241300x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c10c5) 13241300x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d823d8-0x00957e22) 13241300x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d823e0-0x6259e622) 13241300x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:04.244{15964E91-054F-620E-0B00-000000003602}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d823e8-0xc41e4e22) 23542300x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:04.144{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=4A141AA5B58DA150D20D36EAB26ED2BF,SHA256=D25F0C7478D8523567F014272D90011CECC428F8285573DC29C31D0B3942A3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.968{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE604B8B4F1D2E484E86728480102DCF,SHA256=6AE64F7CA479BCE6AE226D2872AB63063654FA5CB8BD40CEBB63A1A3B2D91AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.869{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\pending_pings\49b1d919-375f-4cb5-b9c8-e2027dbfcf8eMD5=FE56841A801F2A490CAC6C1E23B45C04,SHA256=86727F8DF557BB86EE325778AA2803C6A23480ED03BAA7CDB26209EE2A8DF164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.647{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=90C949210A6D6827A68C905AF6F3A77A,SHA256=E4D62D22B5B2A4A231A185C0D52865CD1F6CCAE636D339D0C0AD0ED9847835DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.644{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=90C949210A6D6827A68C905AF6F3A77A,SHA256=E4D62D22B5B2A4A231A185C0D52865CD1F6CCAE636D339D0C0AD0ED9847835DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.638{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=7FDB060F4A21A4B2AD1B6824E1AE04CD,SHA256=5DF6FD1A44F0301BF680C1448999D07EEBE1C391257620B78DCFD71107424B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.636{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=1BEC66B7D6FDB07392F889158BABF390,SHA256=3983186060DB9ED94BF7C7F39F90E0FB8C251E55858EE970DD43308259BCACFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.631{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=8FC301BDDC705E9BA427BB563E0A74E8,SHA256=62C02A8B8470B75A152C6C5B5A475A0F1842F5D6F39A3C2F8C5C34C806A0BFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.623{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=CA422A6D3FD78E4CF0868ADAC47D32BB,SHA256=6E9C8CDAD36619D72856C104C9C91082574A033A8A7E2B0E8D1B13A2762A6DD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:03.836{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54618-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:03.836{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54618-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 10341000x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.643{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-054D-620E-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.612{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0551-620E-1400-000000003602}1076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.596{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.596{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.594{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.593{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.593{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.591{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.590{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.588{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.587{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=88E36656A2FAA00727F05A0A5963A78B,SHA256=F7764A060932E62AD37471B0FD4DF1542D9DCC2F22CA8EAF1CBD521177FD2CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=D46804DBCA2A77DBC729D88443CC7FF0,SHA256=7736FDDC3E9357D43CBA17FF1FE1E6C3CD85E23C24BF19E8B1C00117BBC223AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.565{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=C48253CF1D2A9A4E65BE0664F7DA4DE6,SHA256=3196F11A179B8EC11256D80861AE57CF2FBCE3D28937AE5FEF5450A5174233DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.518{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0551-620E-1600-000000003602}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.503{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0551-620E-1600-000000003602}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=19449DB498CEFC81B3C86BE8713DDEDC,SHA256=B7F4ECF0FABC1F55242ADE875A82359AAA4F50DF692436BE7C19C2936AA52647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=EB2E6454119F9F36075395E93E9397FE,SHA256=8F540912960D7A9CCFD6FE26027DE87854BBDB3FD2A5642911B5EA146C1D0A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=15A633D57EDA6D540F58AA15C2220F45,SHA256=F0C0AF86B1EFD3ABDFE522BA98A2CC667EF88268463E386B6B0E984D7806EFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=9A73468CCF6F575C60C851B9CA0CEB38,SHA256=43C5FF90275C946D660E69142234C7984D5C268E15889DE5D86D73B7FF31BD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=A782AEC28A4EBB69F24B60F59FA66F38,SHA256=ABF8A1022B25C4008669B9D97E99BA6319CD4B3D188596C795848A669990B224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=A4001CF7BEA74DD2A9D614EA0F0F7F8F,SHA256=51CB8386868FA686ED4AEC74FB7F7F5CB68F01C57BE29313822A98B9EDFC7255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.470{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.454{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.454{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.454{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.438{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.423{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.391{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=A4001CF7BEA74DD2A9D614EA0F0F7F8F,SHA256=51CB8386868FA686ED4AEC74FB7F7F5CB68F01C57BE29313822A98B9EDFC7255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.391{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.307{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=D46804DBCA2A77DBC729D88443CC7FF0,SHA256=7736FDDC3E9357D43CBA17FF1FE1E6C3CD85E23C24BF19E8B1C00117BBC223AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.307{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.292{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=19449DB498CEFC81B3C86BE8713DDEDC,SHA256=B7F4ECF0FABC1F55242ADE875A82359AAA4F50DF692436BE7C19C2936AA52647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.249{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\aborted-session-pingMD5=44EBBFBA9D0DC966FC219D3B98D58927,SHA256=6B90394DD07716043F152392642163AD78F21B97FFEFC17412AEE4B8223B5161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.239{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.140{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54619-false142.250.184.202fra24s11-in-f10.1e100.net443https 354300x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:05.136{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54451- 23542300x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.109{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\session-state.jsonMD5=F75E0C29BA3EA30E78B7047A1D4273D4,SHA256=41479DBBBCC8EA3D16FB58E3A467293714F5D1E3B85101DDC732575BED09D8AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.118{15964E91-0551-620E-0D00-000000003602}880C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54626-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.118{15964E91-0551-620E-1400-000000003602}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54626-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.024{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54624-false10.0.1.12-8089- 354300x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.015{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54625-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.014{15964E91-0551-620E-1600-000000003602}1328C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54625-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.006{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54623-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.006{15964E91-0551-620E-1600-000000003602}1328C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54623-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.002{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54622-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 354300x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.002{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54622-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 354300x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.001{15964E91-0551-620E-0D00-000000003602}880C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54621-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.001{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54621-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 23542300x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.511{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A73194030E8AD4D80DA18A17F485FF,SHA256=C52EA6EA1454650C2609C0425781E035ACB47A2822DCF7224E8910CC6DD6E440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.393{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E7E05B811045DAAFC07F41D1F97DB0,SHA256=D5BD0A0E24470D5DA670D26A732C1144011469250F44F528A0B4B0C7F615CF88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.615{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53296- 354300x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.589{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53296- 354300x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.149{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54620-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.148{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local63348- 354300x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.146{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53061- 354300x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:06.142{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local49763- 23542300x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.111{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.139{15964E91-054D-620E-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54628-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local445microsoft-ds 354300x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.139{15964E91-054D-620E-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54628-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local445microsoft-ds 354300x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.131{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54627-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 354300x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.131{15964E91-0551-620E-1400-000000003602}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54627-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local49666- 23542300x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:08.112{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727E26B5FEDEE51966AD22497847BF21,SHA256=7857CEEA86355E762B7DC07B2F03E9A8C6D8F7E97FD7E23B8B648AAF666C9A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:07.581{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54629-false10.0.1.12-8000- 23542300x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:09.126{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D185CA740179E664C54A65F6D19295,SHA256=F66DB0AE204610A5584FB67C49E21DCCA76ED79C2788CCB4352D5CA910AF9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:10.141{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25AEA51BEC8F8AB19C00F168C3EFD37,SHA256=7B24440AC958AB123B51B54211728BCCD363E77CD22649B645F36D71F7C49A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:11.144{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2474922FD82EB1A94384212E0828FC,SHA256=B313778B5A099DC120B36FD4EA702963C07DACA1933E3C60BD10523079D08C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:12.193{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF7CAA0B5BDC1B0BD53BC9C5EE9534F,SHA256=17BD40E8297D11894753A1165C0229D563EDDB15E34FD8F225BC31B90EC481BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:13.211{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCF52140C7F5E3B1C290ED74D017512,SHA256=A023C3D2373BD88EA571A8F4EC41BF981A8D35C24371ED0C530AED913A1031C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:12.604{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54630-false10.0.1.12-8000- 23542300x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:14.242{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8EC041854732DB42FA3546B372EA65,SHA256=05F45A144D164ADA019BB59060D27E75D0052EFF4EBCBFBB2B6132B3E50A343E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:15.257{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CC485BBA4A264705F97AF20B692BF4,SHA256=00A709490712E703688C47FCBD2B31BEBC1D40CF71CDCD8D38664B55E2FFD3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:16.273{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7142E06696589DEA41169F0169E3EBB,SHA256=66542A028442219A4B2A8494D3FA4C5BFCB4A71F261AE7C41802286EA47D7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:17.856{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\xulstore.jsonMD5=2A3CC2404FD9A14E62E290A4D760AD16,SHA256=6B7B2F2D838041111013F7ABE686644F4259441D23BD63C4BB04FBAF6F1B7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:17.290{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DED1261922E2B26873D2F9AA4A5A80C,SHA256=EE2CBFF3A0CCFC7A39C5E4A74841AAA9EB5FFAD6C49F29DEC997AE86AA004768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.409{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1815DE813B09D8177CF7B2CB19303F68,SHA256=D7B8A66CBC9BAC3C751E96756BFBBFC28DE3D658BD1C14FC722987A53F1CA33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.409{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF96C0E6FDAD347331BF1AF674C5BAE,SHA256=5B9085B7B60826BC58BB02013253FDA03CA8D4F1152BF0BC0D15EE2E99BE1ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.309{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F34AF1F741089798AC273828040338,SHA256=7861F5FA85DCB24563DB3F6DA0322ED6393A5259340C801F3B25D88AC9081BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.340{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4445A378C0C1EA39D83CE56D549E86F9,SHA256=C5345F06A500007502557817590624A728025CD359BBE9AF02F57F0B4A07CF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.071{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.071{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.564{15964E91-0551-620E-0D00-000000003602}880C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54632-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:19.564{15964E91-0562-620E-2900-000000003602}2880C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local54632-truefe80:0:0:0:24d2:66f9:4196:9c3fwin-dc-tcontreras-attack-range-72.attackrange.local135epmap 354300x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:18.578{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54631-false10.0.1.12-8000- 23542300x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:20.370{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A489B3F19A4E382A445157BE122D1D,SHA256=70D51F9742BB577DF01AD6004C1C57007BE65493883950726D706C72A77BFE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:21.388{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259FE52219625CB89B1212025A103AEF,SHA256=52C327564CB34D3E0D853B7B0FA4A541C8C2A7C475B4612C87343EAC7FB0B399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:22.422{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8594F749945D888BAF904A4F0A9D79B,SHA256=095710F018268B1A2EB75EF1BBC6BD30374A704D5D5EDF4E369CF012DE32658B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:23.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3DB101714BF6D913A8FF95FF6E9C37,SHA256=F193BCF910AC3E607781356D08BE913AD7A982AD23DC703B1A6C5D24869DAB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:24.451{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2584C9F86070205759F27D5831EF7689,SHA256=68F303228D09413F5DD90373424FC742D1F7663A7D64F73A09CD3E456884C560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:23.678{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54633-false10.0.1.12-8000- 23542300x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:25.484{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8114D466CB1BA5551EDAF61F8B2E880C,SHA256=D3187475CC4B67B2F23DCFBD0A9B71F6E9AF689EC41795790A4515879DA557AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:26.504{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213B291AE6C6A21397605606FDC71A8B,SHA256=94347DF175777F164C01726D1B23F1E77602C0EC36780A8770ED8A007C9FE36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:27.519{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7F975C264A53F13CDAA1AFE0B7B8E3,SHA256=5E04E898AE0D98403D799499A779675E7D6AB600374A9278F46FB7755B4B98BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.535{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002D4ECDEEB25C18CCF1F6FA7A93ABB,SHA256=1F11967A0D1FC5049D048F106A7CC20194D79BD21DDA437BE21FBF52968FD394,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:28.219{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:28.219{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3679F75E-AF26-4BA5-BADE-FA655BF916B3\Config SourceDWORD (0x00000001) 13241300x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:26:28.219{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3679F75E-AF26-4BA5-BADE-FA655BF916B3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3679F75E-AF26-4BA5-BADE-FA655BF916B3.XML 10341000x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.203{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.203{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:28.169{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\respondent-20220217082052-063MD5=5CDEFFEB9D405321091B6D567D00213B,SHA256=694D3E29A1B4A6F1E67ADE1AE836583F1FB15D03FD159997E24992AEAD1D69F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.888{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.885{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.885{15964E91-054F-620E-0B00-000000003602}608656C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.536{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C0810B992A28E8FDA61A291F13D6BB,SHA256=0FA07183CC756D6DFCCED91AEC1C0B6E5DC02C74743140350C2580A256960636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.168{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\surveyor-20220217082050-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.050{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.050{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.050{15964E91-054F-620E-0B00-000000003602}608776C:\Windows\system32\lsass.exe{15964E91-0562-620E-2900-000000003602}2880C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.922{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.923{15964E91-14C6-620E-E107-000000003602}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.628{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54635-false10.0.1.12-8000- 354300x800000000000000034598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.541{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54634-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:29.541{15964E91-0562-620E-2900-000000003602}2880C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54634-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 23542300x800000000000000034596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.550{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990AA58C2CDCAB11875BBF1E5C58CC3B,SHA256=21B8106E110CBBE9CA71ADB7AB3A0A58392138466EA767C8FC533E83D377C579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14C6-620E-E007-000000003602}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-14C6-620E-E007-000000003602}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14C6-620E-E007-000000003602}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.435{15964E91-14C6-620E-E007-000000003602}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.051{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439144241605578E42D73C5B2CF525C2,SHA256=835BC08D9A057F9EB9C49E7807A6152DBC9C117EDB7B9C099EDFBAA0A8CB42E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.051{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1815DE813B09D8177CF7B2CB19303F68,SHA256=D7B8A66CBC9BAC3C751E96756BFBBFC28DE3D658BD1C14FC722987A53F1CA33F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.373{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54636-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:30.373{15964E91-0562-620E-2900-000000003602}2880C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54636-false10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local389ldap 23542300x800000000000000034610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:31.552{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4183F405BB4B01E09ED12126663AD774,SHA256=B84466334C04EAB2523E4154C47F07B62BB26B7271B2876CF203A24EE1C70066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:31.437{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439144241605578E42D73C5B2CF525C2,SHA256=835BC08D9A057F9EB9C49E7807A6152DBC9C117EDB7B9C099EDFBAA0A8CB42E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:31.090{15964E91-14C6-620E-E107-000000003602}39925452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.589{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63BEB6705FF3D83017A4339F8B9B321,SHA256=0EDCDFF5D0B14406296D42F770E3F0DB0D6F721BAF29CB9A8883C7C22FD488C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14C8-620E-E207-000000003602}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-14C8-620E-E207-000000003602}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.005{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14C8-620E-E207-000000003602}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:32.006{15964E91-14C8-620E-E207-000000003602}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.604{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA03081A965846259A90F68F4335CAD,SHA256=3AA49AA93B4BCEE34317F8D1B6C89AE67161E84CF6E767A2616AE801A0D4798E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.436{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=69C77EA7D4A3FF502B991BD5A0AD29C4,SHA256=7E2411C494C420622DAEBE7509B3FF51B9826D8B03643DBA2155AFB98C349F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.289{15964E91-14C9-620E-E307-000000003602}11563500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.089{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14C9-620E-E307-000000003602}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.086{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.085{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.085{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.085{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-14C9-620E-E307-000000003602}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.085{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14C9-620E-E307-000000003602}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.084{15964E91-14C9-620E-E307-000000003602}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:33.036{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FC086D4BAF68B2152B587B5B60376B4,SHA256=83100FF1DA1482EF9EFEC4D7D099219B803ABC9C3BB813D33DCF24BC6DB86DED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.886{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14CA-620E-E507-000000003602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.884{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.884{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.884{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.884{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.884{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-14CA-620E-E507-000000003602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.883{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14CA-620E-E507-000000003602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.883{15964E91-14CA-620E-E507-000000003602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.634{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1480E8693D5432E58D0D9835EFC7E0DE,SHA256=4F0C16C4234005C820275BC1524034032688C704134A4361D02EF771AC7DCAE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.450{15964E91-14CA-620E-E407-000000003602}41442384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.286{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14CA-620E-E407-000000003602}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.284{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-14CA-620E-E407-000000003602}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.283{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14CA-620E-E407-000000003602}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.282{15964E91-14CA-620E-E407-000000003602}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.104{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=030C362D6A4C5141FE8EE100B3F8E689,SHA256=795086E3CB4798F94CAC88C5CD811395A24F90BC6CB9F1278140A13887A4BC83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-14CB-620E-E607-000000003602}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-14CB-620E-E607-000000003602}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.951{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-14CB-620E-E607-000000003602}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.952{15964E91-14CB-620E-E607-000000003602}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:34.710{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54637-false10.0.1.12-8000- 23542300x800000000000000034655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.652{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B1F0C57155B85B284ADDF053A79309,SHA256=17E18D5ABE0C950389CF05F4B17E0F525BC0EB7F8ABD6CB666F72B4F927F6996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.303{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A214BB706E7AC27A25C77B69A369D51,SHA256=45E4C251910CD648EC4C0E7062EAC0C7BE2357F99E1DD7CC402AEA9DA60642B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:35.087{15964E91-14CA-620E-E507-000000003602}32885008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:36.986{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0952F25B7C0AD4E6671FDFA87005E91,SHA256=5499111569612D2C49492BA1240F221F426399614646B65285ABA8BFD140A6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:36.667{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEF5424194E1DF0E9DCD0A7C69B3F9,SHA256=9855E7891C4B2D471F86DD46F387116E4D534221E48BE3EBA83C2FBCEAFE87F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:37.685{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8694F8183AD51EF5BA02503A974B56,SHA256=EF0BE6D0365349C3C10F0DE98FE399724621CF4D380F863E5DE5C89F59E27C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:38.704{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62628712690C304ED60B244B843D4EE,SHA256=6CA5895CF94363110F2A8F3F0F9FFCBCADD1604E4FD8D18CAEA4746D37AEF55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:39.705{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396DF12FE39DAC92FD87935DD4E60E01,SHA256=0A35F206D9191FA5FBF8E7822041F22EC8422D22125ADC90C41CC4E2D664ADD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:39.731{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54638-false10.0.1.12-8000- 23542300x800000000000000034670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:40.720{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D745EBA5810CFD38C3DD6A17D54BAB63,SHA256=51F057AC3EB32EBBA117DED39ADB2E8A366CA1553F21271A90D317861F145754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:41.720{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1769CBEBEF412F9A65B6C3278F9D53A2,SHA256=E2AC44B53BE053449F300E1F03AA37D02756FF616B4F07BD4A8491AA116CC9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:42.720{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0579D63030026BFBD31A8940F07D9140,SHA256=172AD5A1F17F79679ADE27D5394F9408EB34003BEC27ED661609ED59E9E2FCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:43.751{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159C5A9344DBF9F56449E757F266A7C,SHA256=54AC374753049FB0FFF25AA6338722F374E37EE0E0D11057E9066D9CE048AAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:44.752{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E734E338F1C0A23687344B5F99C06360,SHA256=3E5AC8A62AC6BF1E8C5611029FB51FF4FF836AF6ED81D31B3C5E70221F5ED6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:45.785{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB84C905DEC1B5ACB9261F3C174461D,SHA256=2B350FFFA7F8B497B1CFAE1E046239E07CA3EB1FFAD3FBC4145F183AB0C8B94B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:45.727{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54639-false10.0.1.12-8000- 23542300x800000000000000034677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:46.820{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F8A98F766F2A7E100C8BAF7B5B9639,SHA256=74E4A5A9952CF838C74DE89CF2EB0637F1876D2C36493165F73336ABD2728BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:47.851{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3CE1EAE87A2F7E603C9108FA92EC9,SHA256=4751C4164F7F6EDBBB121697B55BAD544604AA5FD40D4C37B616CF5220AFC438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:48.884{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B24B7A3702F0BA7A6DF62D3E6698B4,SHA256=5A4413EF85E828EEDB5ECFBECC4D3230BA255EAC3155A3B1ACA34BF3C5A011F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:49.919{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B1B856C73DFC2573E248A8A949FB28,SHA256=AC8C8B3E4C0EE65FA1D6950403491A5B635ABED478912B5F7FDC1B9DBB8F959F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:50.949{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D0F5831F501FB365C2FCE8426FE6EE,SHA256=84EDD40A628C70AD09C2DC34B23B09BA1A99141CD8863A756828452457C697DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:51.982{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DF30EF3FE092572898EDF2AA6547A5,SHA256=ADFAD28433333D606CAA0C88B6EC36D6D2FFD454D813E9CFFDD3B076546521D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:51.671{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54640-false10.0.1.12-8000- 23542300x800000000000000034684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:53.017{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCD9F48B3544F4F19BC8CE36FD46A20,SHA256=47443627EFA3AFB7533C70B45B68AA0319DF6C3FF2A54BE8491FE7EF8997BB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:54.048{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65127D9E5B3E08EC8956B649E49A6A9D,SHA256=D89037ED1B9B115A861B1CF31E977BF83B2732EFC1039470525E17DCCA9E58D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:55.080{15964E91-0551-620E-0D00-000000003602}8804684C:\Windows\system32\svchost.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:55.049{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E10F980CE8CCA276C13295B0F3788E,SHA256=6CB1D9FF476518F39DB86F38D8F1439DF3A6F9C329BC49A11F35AE8912745D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:56.082{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADA62B671EA2E6EAAD1BEF563DFBC1D,SHA256=BF72FC45682BAEC85B83BC6C6A3358067012E036F1B59DE7BC579F5F9251DC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:57.116{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0F90E41709E1B10CA4DD661ED87A2C,SHA256=13C016FEC45433258EFEE7DB7463FC543DD943A44DAC3203B9EDB5CD29B0A23D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:56.723{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54641-false10.0.1.12-8000- 23542300x800000000000000034691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:58.146{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3873DA026FEABD3415FC9ADA10BEDB4,SHA256=FECEA300F9A39FF0A479A42C50C6363A7DB3FC4F79F701B32BF080A5D749ED73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:26:59.161{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D634A3407F3C5566AD16CCF64F79C808,SHA256=68BBA7BF25D2DB9829C5BB46D0D2D94B0EAA25060D1A23B7CDD30226E3B200B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:00.178{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237A295C42DE82B7E5C45A6D53943DA6,SHA256=17817E948CD4BF750114F3FCB46C42D612AC6A94508DC3265198BDA557C71219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:01.199{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403AEA322C684CAF5C644AD5DB915DEE,SHA256=610922008C2DFF144787A5DA82B98BBAF8B726F724450FB5D6A59C6D6C77E86F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:02.898{15964E91-0551-620E-0D00-000000003602}8804684C:\Windows\system32\svchost.exe{15964E91-0B4C-620E-5506-000000003602}1724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:02.214{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55484918C6E3913CE298C8AE83DB0A41,SHA256=E35050018017169C8B4A9625C911491A3701A5EDC3ED4863882FCC2AFC62CF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:03.229{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39822473424303D7ECD059A05C7EDE5D,SHA256=C8C696EC265AD9E7644A295D73C65A4483969F7387601B18EEEAA3AD4EFD2C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:04.381{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B591139CF9D16442A5F367CEED6520AD,SHA256=C7003C67AB19FA2454A6ECA085CC323A34FC382034CFC1B3B44910DD61DE25EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:04.380{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=593874465A8B0B02A700BCFF45628547,SHA256=878647306982ECFEA22EFA550E041EDCA31DCE4257D4133256777EEF0D8C2E05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:02.536{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54642-false10.0.1.12-8000- 23542300x800000000000000034699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:04.244{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43738A99E272AB9CDCDAF55AB7F4AF65,SHA256=4F772A652803CAD63C0A98249362A1F5D9CAF37AEEE3FFDBA1527E76746D8D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:03.851{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54643-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:03.851{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54643-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 23542300x800000000000000034703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:05.259{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398E5CFFD37A0191A7A5979DBDEEE245,SHA256=52761FEDAC5D358440837C4A04CE072A87780CC4AA174485EB04BE153FFA2267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:06.595{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:06.277{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EC2A972CC0D52D4180D688B3FB5C57,SHA256=278ECC68120C8017E521366DC19ED4409300315975E91C883ACF757994CC05BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:07.310{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC84B63503D5F43CD1462D4FF5EF5FA8,SHA256=C98758B516E126096B42F221E5A7557149D84405147E7F4EB11A3AAE3A834B51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:07.064{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54644-false10.0.1.12-8089- 10341000x800000000000000034712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:08.325{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000034711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:08.325{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:08.325{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3d0b13.TMPMD5=6558AC2BBC5221E14917604DEC548139,SHA256=BAA584313CBBEE5794519D07DFA875129771ED76C8C1CAAAB56CFDAB2C8F405F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:08.325{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA116389B063459713539EEF5B1E638,SHA256=26D7DB68B0B569A378829ACC61E1A4164F7F13F32ABCF383E6258D666690C0DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:07.616{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54645-false10.0.1.12-8000- 23542300x800000000000000034714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:09.339{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9178BCD8CB7BD6514F308193915A4B34,SHA256=7DE8AD621A634369B21E6A73B70AE26AC44BED0C39E6C879062A18F938CC8770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:10.355{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5524D37B41C675EE0BD7679D55D9CCFB,SHA256=C11F23025B4DA4D96724768ACACEFF60CADFA2680B622AEC20A8976DD4489369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:11.373{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3217CE5AAA2351110E798A45883A8DF9,SHA256=FEB6A261B04B5C3C3327FB13CD468AFB1BFDD0DC30BD431ED65F1C79DAABB004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:12.396{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F556FA25748E36CD570DFB002241A5BC,SHA256=1093668BAF92829AB22D5D8C81D084E3B3C34BB575E4CFD0B00395D050ED6C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:13.427{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9FBB62FDB3BEEFC70E8B2857292649,SHA256=1723E350BEA9FF1E7FF1F5F4BCAB5E857F212F3AE4C1BE2CD7886F76E853EF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:14.442{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCA071F75B2F1C29009C6426C853092,SHA256=B38CB102932311B3F3BF1423A725ACF35B5F5BF4B4208CDC61ACEE109C7B7A5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:12.718{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54646-false10.0.1.12-8000- 23542300x800000000000000034722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:15.494{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F509A82107B23E14F46796EF02BF26E,SHA256=48356C34F7E5074B2A78FE50C12FD960D126D829CCC5EF0BBB628E43B9915BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:16.509{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8405DAC9D7C69EC620A020D9B45BC2D5,SHA256=10E8A484BD5CDE9D925AA73371CC5AFC58A4CF69D541C17196F0C5E908AF6DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:17.524{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB06BA0FCAE6141560E1EEF81204596,SHA256=FD7A029086A3B4CC69E02DB5D2FF1547427BDC4FFAEBBCB21DDF21966AE00AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:18.539{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2918ADB2A2CD7531AC10DBBF1F1412EB,SHA256=EF0E7E20048C415EC258C49EE5D15456609F24E31BD3890F515F3E64CED48168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:19.541{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F75042B54210539EA18B4336056375,SHA256=8829046A047485203F4F16291FC019D8316EF0B902FBA58CD9146EAB68C428B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:18.545{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54647-false10.0.1.12-8000- 23542300x800000000000000034727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:20.556{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5645E34FFCBF25E793BEDC1B65F9FFF4,SHA256=2FC84888ABC7C4183B8D7AD31399C28C31FC1B625D91A64F7E8638D646E01C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:21.574{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C406E5B8139657F6459A5BD84B13F,SHA256=631479BE607B7C3DC08DDCFD9189BE4D4935A6567265BB1BB2131EB19A9D1018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:22.576{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBA75FBA3D61C011B3E6DED01056EEB,SHA256=8A169CA8B99F322C27E15A021CD7442708D1E60F90BA62488890071A1ECD07AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:23.591{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5057F48E2CB1849C18495CB73CC050A,SHA256=C77DAA2EBCD513F52A2A1E776BD4AAB23287867439BCF54EF58D13D19ED12DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:24.591{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BC6248191D9833BBFB26B6EE6FBCB1,SHA256=FF70FCB743387030DFAAD59C2263D24BA27E44881E91265307298F2C4C152051,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:23.681{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54648-false10.0.1.12-8000- 23542300x800000000000000034733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:25.592{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140337D56BFD46EEDD0DDAD1F2C4CC6C,SHA256=F88958F845895FA189333E07D91532D02FAB623DF644A66CEBDC22BF9703E0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:26.623{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4164CF791C9698EBBD42D68C6C6D9C,SHA256=348A970CBE9195C2EE06CE94278D65239AF33E499D48D58AFC880E3098047B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:27.623{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B57A0CBAB63FE8A4F6FB79309AA33,SHA256=15096ACA5514881A5536D48F59C410ECA014265A950D2C17DA0B2702A10EF8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:28.638{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866357F3F9F552E5FB1D422C8F79F884,SHA256=F32F21FDCCCC97A47A0C8F8F487CC1973DC5AD6F823BE0986B9752441C5B87DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:29.695{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\respondent-20220217082052-064MD5=5CDEFFEB9D405321091B6D567D00213B,SHA256=694D3E29A1B4A6F1E67ADE1AE836583F1FB15D03FD159997E24992AEAD1D69F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:29.654{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB4A35D1BBADCAD8AB208CAA1B3ED5C,SHA256=B9B380891C61532D54D59C65D64384F87C5B8C7DF4605B79BE97D7756D0883A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1502-620E-E807-000000003602}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1502-620E-E807-000000003602}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.939{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1502-620E-E807-000000003602}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.940{15964E91-1502-620E-E807-000000003602}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.693{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\surveyor-20220217082050-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.670{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E65D84ECC412686D478A383DD6BE07,SHA256=7121DE6575D7B417C5B42AD3F708C87DD44308E18623BB6B0B36CFE5BAA34CF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1502-620E-E707-000000003602}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1502-620E-E707-000000003602}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.453{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1502-620E-E707-000000003602}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:30.454{15964E91-1502-620E-E707-000000003602}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:31.691{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787FA11D77B95E76DE121BA9487FC906,SHA256=55EEA0E7E860228F5FE2579E30A1E92E4C124C66C943E3843A4A9910382B04EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:29.663{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54649-false10.0.1.12-8000- 23542300x800000000000000034760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:31.454{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B6968C69794257AB94FDB2AC6BE3C1,SHA256=432BCAB6C449B7FAC722CDA0C16130B3AC0CA13D274D72291A736ECC2C40BD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:31.454{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B591139CF9D16442A5F367CEED6520AD,SHA256=C7003C67AB19FA2454A6ECA085CC323A34FC382034CFC1B3B44910DD61DE25EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:31.248{15964E91-1502-620E-E807-000000003602}15924448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.692{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE361AB4A302EB488DD8360BA8C394A7,SHA256=D5C04C39A44F970B253885E860BCA2197A85BD9D79FCEB2594EC5D5E42464DE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1504-620E-E907-000000003602}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1504-620E-E907-000000003602}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1504-620E-E907-000000003602}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:32.007{15964E91-1504-620E-E907-000000003602}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.723{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BD1A9C8629F4F2CB420D17C4CFC359,SHA256=5CE802D0834B42C8EC64E40035CA926F39DAE49BDBC562A13F4BF2C1C3F626D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.438{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CDF70B0C226EDBF1ABE1DE1C7F583F44,SHA256=4D8D178D91A2ECCAEB48B46A68BF507F091F8C9FE9F0E598F6D1AFDEFF269039,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.276{15964E91-1505-620E-EA07-000000003602}22963400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1505-620E-EA07-000000003602}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-1505-620E-EA07-000000003602}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.092{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1505-620E-EA07-000000003602}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.093{15964E91-1505-620E-EA07-000000003602}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:33.039{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B6968C69794257AB94FDB2AC6BE3C1,SHA256=432BCAB6C449B7FAC722CDA0C16130B3AC0CA13D274D72291A736ECC2C40BD99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1506-620E-EC07-000000003602}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1506-620E-EC07-000000003602}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1506-620E-EC07-000000003602}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.954{15964E91-1506-620E-EC07-000000003602}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.723{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EF7AFD9ECA486A9D257D50F618EB89,SHA256=5CAD62EA42E96658D82F068CE06634A5B57A6CF72240BFECDFE07E6FABDADEBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.540{15964E91-1506-620E-EB07-000000003602}62723548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1506-620E-EB07-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-054E-620E-0500-000000003602}392408C:\Windows\system32\csrss.exe{15964E91-1506-620E-EB07-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.291{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1506-620E-EB07-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.292{15964E91-1506-620E-EB07-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.106{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DADA31F94C773DF614CEAB481E4FC978,SHA256=1023020F3BF79851BF9EB84BB14B2C7CC79FE51046007E090D10687CB15F886D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.966{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED103C5CEC3F9EF491980F40879E1B29,SHA256=008032EA1BF19BEF6E0DF54C247A206F2A45515B767978A28DD04A3E0D088A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1507-620E-ED07-000000003602}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-1507-620E-ED07-000000003602}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.833{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1507-620E-ED07-000000003602}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.834{15964E91-1507-620E-ED07-000000003602}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:34.680{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54650-false10.0.1.12-8000- 10341000x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.358{15964E91-1506-620E-EC07-000000003602}38444256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.302{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5BF9D75726DC72EC1A42748471CACAB,SHA256=717804C9B6AB7F87173D11EAEEAF01B0F3A9C0BFEA400D76C2B58C3728C50D5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.078{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.078{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.077{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.073{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.072{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B59-620E-7306-000000003602}172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.071{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.071{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.071{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.071{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:35.071{15964E91-0551-620E-0D00-000000003602}880904C:\Windows\system32\svchost.exe{15964E91-0B5A-620E-7406-000000003602}1440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:36.848{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DCF5FADA2618BD1C1343D3FCBF9F7B2,SHA256=4AAE0D4A567440CF9C791362D2B174FE7C67181320FE7FA83B0735260EAC65C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:36.770{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F069072F1EDCB57E1BDD210847DAC0,SHA256=F4E21DD0E74226B6320BBD957D6823848C29382A4AB9DD1AA49DB6DF7F439BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:37.785{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A874299C63250A9C1EF2A1BF8073C0,SHA256=01484867B1711F839F9589303E3BA3026B8D94C291EAA1A0B32A30CA60BE765E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:38.815{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE63EB3AA797753E414C52AA04DB103A,SHA256=3540CC0EB4904F74D0F695D28EB2CB8297DE3A6CD509D60F924A96BC9DE822D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:39.845{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA94F80A8CF55F76F6E71407C4AC6B6,SHA256=B7699571EB341B7C4C6247624F871F5E70E3FB46127FE7638733B9E950E4E661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:40.881{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E37D25931DB361173AA50E7007EAEA,SHA256=996001FDF47425E9D249947FC07C023F10D2B88291A1C6900FB1435060F270F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:40.444{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01EFF8446BE6F2110AAD1EC3DD49390D,SHA256=07EE476A338128338AFE391E32D061A9FE5F10FFC0B02ADD19346C6CB5DF739C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:40.604{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54651-false10.0.1.12-8000- 23542300x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:41.882{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936A310A94EA98C27D97E623346A44A5,SHA256=963A905D461EB7E4161D77740849E0BE939B89F854766426844B096FCEDF2FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:42.897{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F1A226D4E094A573DBB6415B5C8694,SHA256=8C8AF6D20304E4B469E57DAD4C9332E5E3EFD1EAEC1E1E4DEBA60EB4D1A675F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:43.912{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C417CAC5BFB7897DCBE780A13A81FE,SHA256=6E76958B77A3FF92DCDD31F8530E585FF0A500EF6687CC85DAF55D79631543C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:44.945{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F10D33DB8E144D4620A46619F11659,SHA256=0064AF93F302E8A01322C07618175FFEFB31112AD96E46213F7F9BA3669A0A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:45.981{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDD0C3B63540E7EACABA488DD5C2B96,SHA256=0065B98FE565FA2EEA5A4512DA2BD03973659C567E3334B5439DBDB6A075681F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:46.996{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E007B8AB764D8110D6BC35DF2688606,SHA256=E5E9FC2B1546DF63ED68A9E9E969E76DF3FC8C44E0CDF56F650E1E30A9F42E72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:46.633{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54652-false10.0.1.12-8000- 23542300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:48.010{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA4AD96FDCA8548F5A3B490E72B23D2,SHA256=9CCAE16E892D7774FEAE3D0192E49F9AC148ADD0EED71B3980A6F68113DC35E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:49.014{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4782544570FE3DAD83AEF567350D66BC,SHA256=B1FF78F7086A37712EFBD4E02092A79403BC9317068AEB0BBF64E3A71543E709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:50.015{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB20265C4AAD39CBB3ABB7FACDF5AB98,SHA256=12D60F83CC1FB2344755ADA8C7C04CAB29D4911B3152577B34F6635A9DDDED3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:51.030{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EF6AE09F719FF7B760650A6E7D28A9,SHA256=9B4D2F3CA806615BEAA439EB512DB267D70C0E5668F2D790BF4E5B6E24759A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:52.030{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573FAFE68E3B34D9BC9985304145ED7A,SHA256=1D53EF9CF03CFCE4AC27F7A9963888273C41E975F3512C62949374357FF93855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:53.183{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0551-620E-1500-000000003602}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:53.183{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0551-620E-1500-000000003602}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:53.183{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0551-620E-1500-000000003602}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:51.652{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54653-false10.0.1.12-8000- 23542300x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:53.046{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0E836ADF730469601FD1166714A25E,SHA256=469D725DD1F76475D47E622BBE4F2617771F40221C7219D83059252173EFAF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:54.083{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B6F44D1B1850FE30511F7E73BFF43,SHA256=A965F94884E8316771BFB0560361A9D5E45D73273B47282293B462C459B4B55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:55.366{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-102E-620E-3E07-000000003602}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4e51f|C:\Program Files\Mozilla Firefox\xul.dll+116d796|C:\Program Files\Mozilla Firefox\xul.dll+e4b01d|C:\Program Files\Mozilla Firefox\xul.dll+e2f2f0|C:\Program Files\Mozilla Firefox\xul.dll+1f9b1b2|C:\Program Files\Mozilla Firefox\xul.dll+1a2b7ea|C:\Program Files\Mozilla Firefox\xul.dll+1a2d811|C:\Program Files\Mozilla Firefox\xul.dll+17bc940|C:\Program Files\Mozilla Firefox\xul.dll+16f7719|C:\Program Files\Mozilla Firefox\xul.dll+1bea589|C:\Program Files\Mozilla Firefox\xul.dll+17b963c|C:\Program Files\Mozilla Firefox\xul.dll+1768fe7|UNKNOWN(000002E8F4C81E54) 23542300x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:55.097{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E386C5DC5782B7A9BA8708A62B7AB9,SHA256=7B527600E561623B4269456A6903DDCD5AA91784D19ECDEF3D0CBE10F8FA5C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:56.098{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA3F1D74BA06315963926161B5C4167,SHA256=5AE019880E8CBF500A2D25DD871771213C3527A1B14881C36410233C5BC1653C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:57.383{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-102E-620E-3E07-000000003602}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:57.099{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903D1A901B920933A8616BDBC3B7B3E0,SHA256=46EABDEE6EBB9C18423CEC0EED5C024DF010A11CA6986C2D1D13C0F122EFF848,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-CreatePipe2022-02-17 09:27:58.583{15964E91-0D67-620E-C106-000000003602}7132\chrome.7132.143.71848293C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:58.567{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-143F-620E-CE07-000000003602}2588C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:58.564{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-102E-620E-3E07-000000003602}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4e51f|C:\Program Files\Mozilla Firefox\xul.dll+116d796|C:\Program Files\Mozilla Firefox\xul.dll+e4b01d|C:\Program Files\Mozilla Firefox\xul.dll+e2f2f0|C:\Program Files\Mozilla Firefox\xul.dll+1f9b1b2|C:\Program Files\Mozilla Firefox\xul.dll+1a2b7ea|C:\Program Files\Mozilla Firefox\xul.dll+1a2d811|C:\Program Files\Mozilla Firefox\xul.dll+1e96f4f|UNKNOWN(000002E8F4C83332) 23542300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:58.114{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71C0419E8163D06EC745AA621D9769A,SHA256=810E102A5E5C1E390BB44688EE769B37BF154B99567C3A1FF77D61107CCE0543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:56.653{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54654-false10.0.1.12-8000- 23542300x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:27:59.117{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1ACB12EDC4EB6DD9A67DFAAD62D23A,SHA256=8420152C70A5E5BC0A5512611BF47764B0C9F4813B2E68BFCFBFE8E5F63F2B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.318{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\lqyh10pn.default-release\cache2\indexMD5=3C36AA4A4DF6A51246C85FE5102B5E6F,SHA256=35D5A563E137585246BE70B6B78360665790E47FE033B54430820874B8680844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0D67-620E-C106-000000003602}71324796C:\Program Files\Mozilla Firefox\firefox.exe{15964E91-102E-620E-3E07-000000003602}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2ba20|C:\Program Files\Mozilla Firefox\xul.dll+e4d42d|C:\Program Files\Mozilla Firefox\xul.dll+e4ceb8|C:\Program Files\Mozilla Firefox\xul.dll+844fb2|C:\Program Files\Mozilla Firefox\xul.dll+8390ea|C:\Program Files\Mozilla Firefox\xul.dll+19df6f7|C:\Program Files\Mozilla Firefox\xul.dll+16aee96|C:\Program Files\Mozilla Firefox\xul.dll+1a05b8f|C:\Program Files\Mozilla Firefox\xul.dll+9945bf|C:\Program Files\Mozilla Firefox\xul.dll+2479e|C:\Program Files\Mozilla Firefox\xul.dll+18eaa8|C:\Program Files\Mozilla Firefox\xul.dll+18d99f|C:\Program Files\Mozilla Firefox\xul.dll+43e0a51|C:\Program Files\Mozilla Firefox\xul.dll+444af9b|C:\Program Files\Mozilla Firefox\xul.dll+444bd89|C:\Program Files\Mozilla Firefox\xul.dll+1f9ea33|C:\Program Files\Mozilla Firefox\firefox.exe+9e20|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38245940C:\Windows\Explorer.EXE{15964E91-13D5-620E-BA07-000000003602}6940C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38245940C:\Windows\Explorer.EXE{15964E91-13D5-620E-BA07-000000003602}6940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38245940C:\Windows\Explorer.EXE{15964E91-13D5-620E-BA07-000000003602}6940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-13D5-620E-BB07-000000003602}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-13D5-620E-BB07-000000003602}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-13D5-620E-BB07-000000003602}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.287{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-13D5-620E-BB07-000000003602}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.134{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AE853347620DFC7C291A59435037EA,SHA256=DCF5388BE947B5966C3B2C559234095061B12B645A7715E4F9063847F954B173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:01.148{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FC52574DF2AC7CAD229B50BC7BC01E,SHA256=017A03C5CFCDBF43D89449548735C83C8E7FB84DF17F1F55424F5F58850A7346,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.814{15964E91-0562-620E-2A00-000000003602}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local62190- 23542300x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:02.149{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574EACC9075AA2FB5EBE87460826C776,SHA256=0B08375734793235B9BAF3E537FAA12D9CC4F94A5EDDFE3DA8461C801A5BF597,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:00.815{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54655-false142.250.186.132fra24s07-in-f4.1e100.net443https 23542300x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:03.166{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB69E4EF95A9EB38995282A0BD0B086,SHA256=D05BD971581B9167433E502E7249D3E57F3EDCD277A2DCE6936011807EB94B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:04.447{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96E2ECDC73F655CEF4E9F51781209D6,SHA256=DC4D2144B42C6E0AC4D5EEA7A105686DD177D3459050B720A9B65AC969A9D1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:04.447{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327F74DEA5B49B63EC8B8CE97C820F27,SHA256=970BA1AD700D20855C604735BE1C8617D0E30A59C2430AADF25BC29C50D6E318,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:02.607{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54656-false10.0.1.12-8000- 23542300x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:04.200{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24FB8126C6B204917DBAC5A354214F,SHA256=6BC38BF77FEF7685270FB84B820DE9A0143E27C5E2CCA35F4CA3546F46F972D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:03.853{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54657-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:03.853{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54657-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 23542300x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:05.215{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428D12CD1D17B203B9A36CDAC4D8042E,SHA256=7FD8EAEDAAA587635F924C488793ECAACD2F9A90CE9F5D5C83A0D5F345DD85E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:06.602{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:06.218{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B954F22C5235387D1E3F04F68F254ACF,SHA256=5DA5F4202321DCD649DEC3A3D8B9C9CE910D60A5301B4F29064D9BDC16283E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:07.234{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A9006CA014155FC9FE1514671A88DD,SHA256=4DA857BB69A9AB6235918D0AB87DB54A59CA794953589F64BFC4D0753987F4FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:07.091{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54658-false10.0.1.12-8089- 23542300x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:08.234{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606FC18761E157F010C5A7C127C80BD8,SHA256=325C20947A9AAE4D474E7CD37F8A0190BC433F18085C7B7EC5DCD08BAB6DF43E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:07.608{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54659-false10.0.1.12-8000- 23542300x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:09.249{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5F79E8B2E8214175B88840300DF838,SHA256=126C2237CF88E71FCD8331FF12105037775841364B70957E1BA80EC85795E3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:10.301{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7EC7F946A343AF9D6CF691444AD10F,SHA256=0D22E5E6C717280558E36FB5214A064DC90BB1852DFE957F8BA3CB4FCFFBFB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:11.316{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B781524124C0414AADB24F2AC83EC545,SHA256=697C4DEB8A0864C804B9BA912291B8FABD0841D1CE81FAB7A4A51FA9586BF805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.684{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635BD32392D64615CD2B47AAFBED806C,SHA256=BF76476EEE2FD71B86DD9CFA1DC252A81742E12519249947DBF28D52D3EB97ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.616{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61CB9FA1B03C73C597647AB724B6DDA,SHA256=F2330E6E9BE8ACBC6F734185F0BAEAB3918118AA76B0F371B5C785F3AAFF845D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.369{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-FE07-000000003602}3512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-152C-620E-FE07-000000003602}3512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-FE07-000000003602}3512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.361{15964E91-152C-620E-FE07-000000003602}3512C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-FD07-000000003602}3048C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-FD07-000000003602}3048C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.347{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-FD07-000000003602}3048C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.351{15964E91-152C-620E-FD07-000000003602}3048C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-FC07-000000003602}504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-152C-620E-FC07-000000003602}504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.331{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-FC07-000000003602}504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.335{15964E91-152C-620E-FC07-000000003602}504C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-FB07-000000003602}4192C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-FB07-000000003602}4192C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.316{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-FB07-000000003602}4192C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.317{15964E91-152C-620E-FB07-000000003602}4192C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-FA07-000000003602}6096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-152C-620E-FA07-000000003602}6096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.301{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-FA07-000000003602}6096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.306{15964E91-152C-620E-FA07-000000003602}6096C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}6056C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-F907-000000003602}6056C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.284{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F907-000000003602}6056C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.292{15964E91-152C-620E-F907-000000003602}6056C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F807-000000003602}5608C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-152C-620E-F807-000000003602}5608C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F807-000000003602}5608C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.280{15964E91-152C-620E-F807-000000003602}5608C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t "Dword" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.localT1031,T1050SetValue2022-02-17 09:28:12.269{15964E91-152C-620E-F707-000000003602}6232C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\Sense\StartDWORD (0x00000004) 10341000x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F707-000000003602}6232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-F707-000000003602}6232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F707-000000003602}6232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.269{15964E91-152C-620E-F707-000000003602}6232C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t "REG_DWORD" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.localT1031,T1050SetValue2022-02-17 09:28:12.267{15964E91-152C-620E-F607-000000003602}4472C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\WdNisSvc\StartDWORD (0x00000004) 10341000x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F607-000000003602}4472C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-152C-620E-F607-000000003602}4472C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F607-000000003602}4472C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.257{15964E91-152C-620E-F607-000000003602}4472C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t "REG_DWORD" /d "4" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:28:12.247{15964E91-152C-620E-F507-000000003602}5080C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSRDWORD (0x00000001) 10341000x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F507-000000003602}5080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.247{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-152C-620E-F507-000000003602}5080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F507-000000003602}5080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.244{15964E91-152C-620E-F507-000000003602}5080C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:28:12.231{15964E91-152C-620E-F407-000000003602}2548C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfigDWORD (0x00000001) 10341000x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F407-000000003602}2548C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-152C-620E-F407-000000003602}2548C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.231{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F407-000000003602}2548C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.235{15964E91-152C-620E-F407-000000003602}2548C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:28:12.231{15964E91-152C-620E-F307-000000003602}2832C:\Windows\system32\reg.exeHKU\S-1-5-21-656111903-2775508965-369574649-500_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\(Default)(Empty) 10341000x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F307-000000003602}2832C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-F307-000000003602}2832C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.200{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F307-000000003602}2832C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.210{15964E91-152C-620E-F307-000000003602}2832C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeReg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.localT1031,T1050SetValue2022-02-17 09:28:12.200{15964E91-152C-620E-F207-000000003602}6100C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\wscsvc\StartDWORD (0x00000004) 10341000x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F207-000000003602}6100C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-0B49-620E-4B06-000000003602}24362168C:\Windows\system32\csrss.exe{15964E91-152C-620E-F207-000000003602}6100C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.185{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F207-000000003602}6100C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.192{15964E91-152C-620E-F207-000000003602}6100C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /v Start /t REG_DWORD /d 4 /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.localT1031,T1050SetValue2022-02-17 09:28:12.185{15964E91-152C-620E-F107-000000003602}580C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\MpsSvc\StartDWORD (0x00000004) 10341000x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F107-000000003602}580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-F107-000000003602}580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F107-000000003602}580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.176{15964E91-152C-620E-F107-000000003602}580C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 4 /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 13241300x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-SetValue2022-02-17 09:28:12.169{15964E91-152C-620E-F007-000000003602}6104C:\Windows\system32\reg.exeHKU\S-1-5-21-656111903-2775508965-369574649-500\SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenterDWORD (0x00000001) 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.169{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-F007-000000003602}6104C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.167{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.167{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.166{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.166{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.166{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-152C-620E-F007-000000003602}6104C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.166{15964E91-152C-620E-EE07-000000003602}59246000C:\Windows\system32\cmd.exe{15964E91-152C-620E-F007-000000003602}6104C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.165{15964E91-152C-620E-F007-000000003602}6104C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeReg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" " 10341000x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.132{15964E91-0B4D-620E-6506-000000003602}38245940C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.132{15964E91-0B4D-620E-6506-000000003602}38245940C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.132{15964E91-0B4D-620E-6506-000000003602}38245940C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.132{15964E91-0B4C-620E-5906-000000003602}21364264C:\Windows\system32\taskhostw.exe{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.132{15964E91-0B4C-620E-5906-000000003602}21364264C:\Windows\system32\taskhostw.exe{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.116{15964E91-0B4D-620E-6506-000000003602}38243832C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.116{15964E91-0B4D-620E-6506-000000003602}38243832C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.116{15964E91-0B4D-620E-6506-000000003602}38243832C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.116{15964E91-0B4D-620E-6506-000000003602}38243832C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.100{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.100{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.100{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.100{15964E91-0B4D-620E-6506-000000003602}38243436C:\Windows\Explorer.EXE{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.085{15964E91-0551-620E-1600-000000003602}13281620C:\Windows\system32\svchost.exe{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.085{15964E91-0551-620E-1600-000000003602}13281368C:\Windows\system32\svchost.exe{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.085{15964E91-152C-620E-EF07-000000003602}52683492C:\Windows\system32\conhost.exe{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0B49-620E-4B06-000000003602}24365384C:\Windows\system32\csrss.exe{15964E91-152C-620E-EF07-000000003602}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.localInvDBSetValue2022-02-17 09:28:12.069{15964E91-0551-620E-1300-000000003602}664C:\Windows\System32\svchost.exeHKU\S-1-5-21-656111903-2775508965-369574649-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\dis_reg.batBinary Data 10341000x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0551-620E-1300-000000003602}6643888C:\Windows\System32\svchost.exe{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0551-620E-1300-000000003602}6643888C:\Windows\System32\svchost.exe{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0B49-620E-4B06-000000003602}24361352C:\Windows\system32\csrss.exe{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.069{15964E91-0B4D-620E-6506-000000003602}38246816C:\Windows\Explorer.EXE{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.074{15964E91-152C-620E-EE07-000000003602}5924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\dis_reg.bat" "C:\Temp\ATTACKRANGE\Administrator{15964E91-0B4B-620E-27B1-370000000000}0x37b1272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{15964E91-0B4D-620E-6506-000000003602}3824C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000035075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:13.384{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E381C16F715C0625250A8E3035A538B4,SHA256=AFF8EED096445B55D7DEE43F44644B2D33EE1CBEABCD8414F136D6300BA40AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:13.084{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9284E30C26FD3379C49F4ED9EB917CCD,SHA256=6853606DCA9DA09FEC3BAECC51BA1A7B3ED18C311CC3E5BA3050035F602DE450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:13.084{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96E2ECDC73F655CEF4E9F51781209D6,SHA256=DC4D2144B42C6E0AC4D5EEA7A105686DD177D3459050B720A9B65AC969A9D1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:14.398{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D084857A451AA43373CE194510029FED,SHA256=764E387A32059CE7D5B9DF58C0E1D75B4DEBE437A00251D45264BCF852F9A2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:12.707{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54660-false10.0.1.12-8000- 23542300x800000000000000035078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:15.429{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7859BE68D82E0A2A95C4480E8514ACC8,SHA256=656B8EA03F37F922F85C864D06235A1928041E9045503C21A957CAC0A0EE9686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:16.443{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D21EDEF407A602EC876D235C5235F1,SHA256=8C91F155C2F33D281B73A0F46579194ED5C2F84ADDF70A7AE1AFC2643458F864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:17.461{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A8910BDC6BB65DCA26B08EA4D21320,SHA256=7F9E4BAF3158568712CFDD00A66A11F8C13E5917D93196EA5903B023453F9BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:18.483{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D202B908DA728A6B1E689260E33983,SHA256=98A075764755A7D5E3D309D5C5ECB60954700A460A523CCA9CC08DD72A2D2BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:18.230{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=C1D2780EE518C03ACF1626ABA00B0A80,SHA256=3FA1AF0B7707969B0B2E6FAA324C31D58D897867BB77E047AEEAFBA469557608,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:17.732{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54661-false10.0.1.12-8000- 23542300x800000000000000035083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:19.498{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6591ED0230476B032F420007845ABF7A,SHA256=9EBB1178B53B5F014ACF2A1E5A8CC72EEAA5BACEED464D0D160C096FDA731D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:20.513{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F81FCBD1EDE57FE761BF96BDF9EFBF3,SHA256=9C6217F07CB652C7A10EC31ED42C88E783ED52340BF0FF349F546DDB3AC87E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:21.561{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCC1F900E7FFE21311C01A219606C6F,SHA256=746C7C79719BF58463E747F4E409FCE6ABDC1BFACB155231C0D91F1B19F36E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:22.581{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BFC2CFDE7407C6AA78CE9618B6AC69,SHA256=2DA1691C630F3AA9FB8585D71B27F9CC189B80DC1E5F42F94FA1F60F92186AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:23.585{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250AB9ED61A5BFED844608F8993E15E0,SHA256=CBC3CDC37FE88B4A38FE7AA64E1E753ADEC220214A167BFB0D92044245D1518D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:24.589{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358C5DE44D7606F0258F253952F1FAB8,SHA256=0C9C42FBEE4715568447A3EFB2BA2AC551426F041BEF6914ED9544DA21661779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:25.590{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF6C783B4AE00F57AE11E82EAD7A54,SHA256=0F8219B521E47A656E786A7489916F1E3E64940EE2ACC2669760D2F401170CC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:23.734{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54662-false10.0.1.12-8000- 23542300x800000000000000035092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:26.605{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82316B4D404EB55AF5C57DED0C94CD92,SHA256=AA9555F90D7184174B16B0738EB05FFF320ECF402F55610FD7FD3FDD308DBB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:27.606{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B58110A009B3769987DD3E7EAEDC48E,SHA256=494A49D61A52B0B64DD937522B83003F7D24D8DC69A7AC93E0A2B9C61A663A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:28.653{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FD39F488184CDEF8B813A88DA1789B,SHA256=07F102E31D9F294F696F063E7A0EECBFBC94FB5B6EE506D5AC17400624569B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:29.671{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626BD25866CEEE54BA4B59A2BE6AE5C3,SHA256=EFAC94AA7AA710E0ADC7E7EFEE62DA0582D65F5A541D884D53B09BD52548D0A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.868{15964E91-0551-620E-0D00-000000003602}8801176C:\Windows\system32\svchost.exe{15964E91-0562-620E-2F00-000000003602}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.868{15964E91-0551-620E-0D00-000000003602}8801176C:\Windows\system32\svchost.exe{15964E91-0551-620E-1600-000000003602}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.689{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAEC30771E859B04B348A47010DB1B7,SHA256=188149C70DDEE22FE325553FCF04B9E40AB31D1DF06F91D49B5A8B0053A2898D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-153E-620E-FF07-000000003602}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-153E-620E-FF07-000000003602}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.452{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-153E-620E-FF07-000000003602}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:30.453{15964E91-153E-620E-FF07-000000003602}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:29.710{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54663-false10.0.1.12-8000- 23542300x800000000000000035119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.716{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520A38B1C7E91BEDA4076344AB8D3BE6,SHA256=C9FD0E1D1F83137905F1712CFB690D04902C2DB923B644A80D65B4DEA62C05B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.464{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69534F61FADCB34CF16E89CD0469B4B6,SHA256=2DCDD293278CF594F69D252832C2DC9F7D70376A1CD829ADD640EC9601CF1E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.464{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9284E30C26FD3379C49F4ED9EB917CCD,SHA256=6853606DCA9DA09FEC3BAECC51BA1A7B3ED18C311CC3E5BA3050035F602DE450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.406{15964E91-153F-620E-0008-000000003602}35046796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.230{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\respondent-20220217082052-065MD5=5CDEFFEB9D405321091B6D567D00213B,SHA256=694D3E29A1B4A6F1E67ADE1AE836583F1FB15D03FD159997E24992AEAD1D69F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-153F-620E-0008-000000003602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-153F-620E-0008-000000003602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.120{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-153F-620E-0008-000000003602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:31.121{15964E91-153F-620E-0008-000000003602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.718{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E35D11CB22061DD957EBFD10F37B10,SHA256=35CBA4AD95F6046E978477BDAE75DC4943F24BF64A727D47DD762621840526DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.236{15964E91-0562-620E-2C00-000000003602}3036NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cd13038d9acfb6a1\channels\health\surveyor-20220217082050-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.016{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1540-620E-0108-000000003602}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.015{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.015{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.015{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.015{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.014{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1540-620E-0108-000000003602}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.014{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1540-620E-0108-000000003602}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:32.013{15964E91-1540-620E-0108-000000003602}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.734{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058318BD5873112590BB5057F3981BAA,SHA256=196C35C1504C62440C37EBD980151B462993D7D1EA23753D8E122126A3B257EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.450{15964E91-0551-620E-1100-000000003602}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B4F4FC52D74B832035FF73FBAC0EF0C7,SHA256=33059DC57DB02D10C9A47BBFAFD30F2B967EF533446B6D0634485631A1EF19EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.334{15964E91-1541-620E-0208-000000003602}42966908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.280{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=906F4B754691AABF2C8285F0A9871641,SHA256=130C60A5D620B240B086A99D9C603E78F1D37F06A6D3C5448CD1D139A323D203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1541-620E-0208-000000003602}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1541-620E-0208-000000003602}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.096{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1541-620E-0208-000000003602}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.097{15964E91-1541-620E-0208-000000003602}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:33.034{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69534F61FADCB34CF16E89CD0469B4B6,SHA256=2DCDD293278CF594F69D252832C2DC9F7D70376A1CD829ADD640EC9601CF1E0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1542-620E-0408-000000003602}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1542-620E-0408-000000003602}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.865{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1542-620E-0408-000000003602}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.866{15964E91-1542-620E-0408-000000003602}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.765{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B6A6D154AECC4D39AA4FAE0346EA62,SHA256=1B5DC83E3352A8C8972085EE9E7767B032AD3B75CDB774F9815E762C6BB2BFC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.439{15964E91-1542-620E-0308-000000003602}68726224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1542-620E-0308-000000003602}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-054E-620E-0500-000000003602}392476C:\Windows\system32\csrss.exe{15964E91-1542-620E-0308-000000003602}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.234{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1542-620E-0308-000000003602}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.235{15964E91-1542-620E-0308-000000003602}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:34.115{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41323C29198393BF92B8791CB16173A2,SHA256=05E7E7FBE305C64C5A73A971517353B86BE951A6899E60E7FBDECD905A923375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.811{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B1EFE8ECC81AD6E66607D0D5254F28,SHA256=084118966C430AA7B5FE429F75BB03CB83006597576D99197AAC2FF1A54F8145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-0672-620E-C000-000000003602}31923852C:\Windows\system32\conhost.exe{15964E91-1543-620E-0508-000000003602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-0550-620E-0C00-000000003602}8244864C:\Windows\system32\svchost.exe{15964E91-0562-620E-2E00-000000003602}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-054E-620E-0500-000000003602}392508C:\Windows\system32\csrss.exe{15964E91-1543-620E-0508-000000003602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.780{15964E91-0672-620E-BC00-000000003602}48522656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{15964E91-1543-620E-0508-000000003602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.781{15964E91-1543-620E-0508-000000003602}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{15964E91-054F-620E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.249{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A5C15E6566DEB8488AA282B09061BA3,SHA256=8BEE5E8A89480248DEC9EA85ECE7FCC26E432A25FBE125536B54705B954D9731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.080{15964E91-1542-620E-0408-000000003602}56845388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:35.622{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54664-false10.0.1.12-8000- 23542300x800000000000000035175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:36.832{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53B27B4DF769BCE2DF9B7EA6946B88C,SHA256=E849782245AA46A7FC1F8AFB2BF20AD7993FA907A9F35D5083A04C31FCD01147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:36.817{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA63B4481910294B9DB6EDAE81C12C7,SHA256=6F8361433A27557DB786AF270CDA9D6C58C7EBBF30A31DA3E80354AE4AD21796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:37.833{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5EF2362AEB9BC7371603A0A7D83487,SHA256=29387C9FD2BC0914F786EAA2BE3E5AC5A7539123FD17B703D1D07ABAFF63F561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:38.848{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5695F0D8015F1AD20E7788DF969D7CEB,SHA256=36593396204CB8F37D2E46853EC19E3328C8F5DDBC3E94A11A687FC464B60A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:39.863{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A3FB8A492F81B5DFF39F27CD5B3B90,SHA256=7C40A136F7018E995135F78F0C75C570D17221E6D0131D57876B18844766906B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:40.878{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FC47BFD32FA5B19EEBE0838DB72EAD,SHA256=0E50F21A58C15AC8E4AC035705510159142D4B7A905F7A32D9F272149A4ED041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:41.893{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285999CDA71F643270681DE0CE25ED94,SHA256=BF294AF3DC962A0FE2C72905F1BC54882640505600821A95474FA1C6788DCD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:42.910{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8AD0BA6905ED87958FC0FD3A7B63CA,SHA256=3D31C85D47CBFD22E39AE8FBA9D46532A9641762DF6C39AC01E063D24899A3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:43.929{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF1D6E053A21A8D7EBA9AC87ADABEF5,SHA256=7E9E9E41529FB3F0316936C169D36F5D8893830D207DC133CE64A7C7AD9B9C75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:41.551{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54665-false10.0.1.12-8000- 23542300x800000000000000035183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:43.329{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=D726295FAD72297F9E49738B466E01EE,SHA256=F5CDC5ED1E7D6BCF356B4F0BBF8D0ECE356DCBDD721E05E46F5BAB17654D2CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:44.944{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA5923AEDC8395EB27B757D9E7A19DE,SHA256=12D9EE421F42E9CAC56C94A993B0310D6C2B47FCD2C4ED255AB9F1036CB260C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:45.959{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A8F4A3FDAC0223BDDB4A0FBC3D84D2,SHA256=916532691C00D06A968CB9C33B7B9FD64B79AA23814824AE1ECFD766A70CD5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:46.961{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154CA23A478A1ADB5C4EA19D1195BC7,SHA256=E741C8F0F295A3A1735BEBF6AD18E975A27AFE66FE810995EC6B651C0DCBFDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:47.991{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B7D5AF4CDCF885CB0C7024B91AF787,SHA256=829A0F2FE8F702D203ED770FCFF61A8F85312B15C7051C09C1A7B30FB58EF7B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:46.616{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54666-false10.0.1.12-8000- 23542300x800000000000000035192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:49.990{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=90C0C787581A50A7C88D07CE08292BBA,SHA256=917837A7543ECEA9033AA60BC551E681DE7C5DC0CF3A6B9ADA486A9A43DBC1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:49.009{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10057FB8892ABAA995195FD58B0922E,SHA256=8DC368E39751C65A36CD8B3518D2FB9302E8E36B06B08EAE454CBA979299AE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:50.027{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A546C2868719D66149002D7E50908D,SHA256=A0B88DE18C760249766E7580CE4355D3F404F869492A14B02C95A6C9F7A2C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:51.058{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A019F82B19E7F8BD04820F80F32BFF,SHA256=C37F83408C5610D3556E472DA02AB7CEA38E1235669857190982CBD13202D409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:52.089{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6C287E167C6641B9622BECC811A9F,SHA256=D86086D4962B8D24C68EDBA5E32FB3F46CAD7C125DF51CB1D89B89ECBC81F03C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:52.515{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54667-false10.0.1.12-8000- 23542300x800000000000000035196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:53.094{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226EEFFACAFD92E8E5635DEB23266842,SHA256=51CE81F9511FCAC60FD2D281307C7B0E14907D20EAE2F6CD42F35EAB9E5FB29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:54.094{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2197B809E71A040BDC63ED5988759E,SHA256=0F6DF2EAA335B40D63D610A73087CBA4EFD5F4F9D3C15261263E65F7868A3D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:55.111{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACE2BAC80E9FBA75442FA6CDA6F78BB,SHA256=B2F0B28AD9F6A0E5759E379707F0CDEAABC50E963A9C3EEFD46676E1125D9008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:56.130{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB73280FF581A46477702197FE07DCF,SHA256=EA1B5FC7B4E36BEA8B047F740AE0F74F0D0C25A2CBF8B678F96DCE5A2E906A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:57.160{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDEED6EFD2993C44361C731F507D94E,SHA256=F9E6C130E6FAF05D89012D9CF7A734005B515D352206ECFF7C2BF76F9924C10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:58.164{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A779DCFDE8E60D7B73FC95DBFE89F79,SHA256=52361C3DF57922DEBDA8E2011B8EAF2AFB1332EA19008B939967B523760F0E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:59.165{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9523CB1A9BEC874FAF30DD177DF91E,SHA256=2FC85CC2723D2EC9B4F268BB9E5995EDEB7C6C23AE5A735F676643741BD630FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:28:57.582{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54668-false10.0.1.12-8000- 23542300x800000000000000035206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:00.179{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534BBCB33472D099CEB13A88461D9117,SHA256=376257D459AAE2904E0F07C4BBEF40963C208606D1A1B817492DF6ED142D7859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:00.032{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=E56764138CBB7A138029600D6AA899C0,SHA256=983FB3701B003FAB6C7F57BB81C29AB48083341B3FD6F79F8C5F814C7DCB3A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:01.231{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7865DFD17C0C8A1717AA3319FAB8FEB2,SHA256=DD06B5C0B0D850ABA36EFA44CC231F62CFAD1AB5625A105C3B81530E59A8022C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:02.262{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BCCF54200DCE71E4046DC1B1799AA,SHA256=721A9448B7E267934D612F9A381782BFA5062D8F33192C743D6AFEDB7DEEE7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:03.268{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC37C63602339017EFA10F4930BFE8E9,SHA256=73034D5E74F905A1D00BC9A4E1B80729A8E0E4306286F44A399491CA7C583C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:04.383{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A5C697224819C077D98B78372454063,SHA256=1575FE71A316B89D62E3A648EB1B8201E74907C88BA15333908264FCCC973B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:04.383{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE6DAFF9A6549DBE2CA75380126B8FDD,SHA256=90E01E367B767516F40C0BEA7EA5B33E947E0C4B79D41A138980245278156FA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:03.556{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54669-false10.0.1.12-8000- 23542300x800000000000000035210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:04.299{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C098DD9649C76384C989CFD0EED645,SHA256=7D7020785A3BE24344413402D898EC88B9B00A5467A5AD2B5B34D3205FC6E728,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:03.856{15964E91-054F-620E-0B00-000000003602}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54670-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 354300x800000000000000035215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:03.856{15964E91-0562-620E-2800-000000003602}2872C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local54670-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-72.attackrange.local389ldap 23542300x800000000000000035214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:05.300{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325C5156E19A6EA70D98A567AEECBF0B,SHA256=1C3EF2289285BC8D8585379DB8B5FAC1086B5EC20B81010E8408F9E5E0F04E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:06.622{15964E91-0672-620E-BC00-000000003602}4852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=554F80C87A60F88447015614FA504F09,SHA256=9734764964C63DD96DF33102D80013D51246168D99B6876127D1078C9C381AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:06.319{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAB802EFB7E10D15B39371D0C0750B8,SHA256=B296292039E34769E75A83D8D1528187D82954AD26CB7179CAD3965F2FE68A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:07.352{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D39A6C3D1EF8EEFD77F841C0C280F5,SHA256=AC68CD702CA6923ED4611946DFB0F89D3CF48194F1C691AC37D820229A4396EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:07.103{15964E91-0672-620E-BC00-000000003602}4852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54671-false10.0.1.12-8089- 23542300x800000000000000035223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:08.366{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA93E939A0ED95F7FDAD1C94DE56D6,SHA256=5E26EFB30A2E897955D63349D3F4D80857EE785653C2EB95A9E18DD41A39C0B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:08.335{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000035221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:08.335{15964E91-0B4D-620E-6506-000000003602}3824312C:\Windows\Explorer.EXE{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8034F86AFD8)|UNKNOWN(FFFF835D954A5B68)|UNKNOWN(FFFF835D954A5CE7)|UNKNOWN(FFFF835D954A0371)|UNKNOWN(FFFF835D954A1D3A)|UNKNOWN(FFFF835D9549FFF6)|UNKNOWN(FFFFF8034F582503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:08.335{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3edfe2.TMPMD5=910A5A6682B3ECC091C93A3263507DA7,SHA256=214532C8028C1246DFF4EFC412A9E5AD08CDC8F98BC71E8B28E1F090257D7627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:09.398{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B3FE73C0D29FCE7464FA36F1D50A39,SHA256=196E9BB582D97C20C7CB14388BC3EF50C88E4BD40B4FD3FF07DE915FEAD13261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:09.313{15964E91-0551-620E-0D00-000000003602}8801176C:\Windows\system32\svchost.exe{15964E91-0D67-620E-C106-000000003602}7132C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:08.605{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54672-false10.0.1.12-8000- 23542300x800000000000000035227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:10.414{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91AC615FD39F901AB97BEFABFB5D451,SHA256=A45D2516F31E0BE6705B9636D4FE9C759BC6EB2380CF650F78A7F60F4B0796B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:11.433{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3A0AA4C8E79FCACD777218FE425648,SHA256=314E5C0ABB89F94104B0946B0613706AD40DA830148B8AF5081E50920531B459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:12.436{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D4ABEE189D808570195B3BF5AB133C,SHA256=8D49B274FD1D9E79C514E0C1C086C98848520D68931226C8337C14A4CC6E18FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:13.467{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8CC302483A0E04B7B717C6AAE35A1B,SHA256=EEFC21650E81B60FECECDC3EEDACD8DE809D16F0DAA40D8963E96A6EA87F47E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:14.482{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28745C4B8AC82D8C72F32A3FB5535357,SHA256=FF80190429B56C0E470848EEE84BA22C7B9F2E9DEC6F9408A5FAEE82471FB168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:15.515{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953909E1666A95CD587D0DDDA87B1CAD,SHA256=8EF9154986BF209637880D1D30FA3548C460E0F99DB43BDFDDEFE4C01863D0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:16.533{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF88AD6995044AC083C2D50FBB2F99F8,SHA256=FF5F5CCA49E53E152E998F79AC23EBADEFC31BBF753F2E2AE4D5E171CCE32133,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:14.601{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54673-false10.0.1.12-8000- 23542300x800000000000000035236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:17.549{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A4A8FC959750C046A7D01003C9D711,SHA256=DB26428E11C9465C3D0C90110A2B42ECFD8E55C22E76E94CFB28D7B9CA614F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:18.550{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0971E42A3B4B90ACCB2B062414963FA9,SHA256=249D3600C3E8E977D9BC9FDDE506D4C6332F0C343B2BE6A8B5FA85291D6E0E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:19.566{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66285D902E7097D127ACEE53543AA9BA,SHA256=7A101F6C85EFC8C93AB488A868B8735D2027CE880C820AD45202C82740BD9D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:20.581{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA82CFD55CA3AE2A30FF22A58BB93E10,SHA256=A718EC2BF404B30B1D7F86D061360F30004D616889F69C2AC76BB8782D6F9CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:20.114{15964E91-0D67-620E-C106-000000003602}7132ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\lqyh10pn.default-release\datareporting\glean\db\data.safe.binMD5=79A92E811776DF2CA0524A9F639D8598,SHA256=327F857C23478DB8B6DACF9CEBBBFFED94B381E824EBF676B07E45CF3590A571,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:19.604{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54674-false10.0.1.12-8000- 23542300x800000000000000035241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:21.596{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA4EA8A8F1AF3023EEDB146E122B786,SHA256=ED21154AAAA40D85C3672B48AB17788215BACB48553FC04DD5E621656030488D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:22.616{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C25C3D22BCA7A0BA467924521F515C,SHA256=39A08183780D65FA62B8426F7572A3E9D8325C84FC3BB541A40E431A5F95BD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:23.633{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C284F665B83EDE4389551ACB0FE06EF,SHA256=9F1BDE6CB917BDF4A855D9ED93C6BC3610C3BE9B6CA2FAECA3A5A1489D595116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:24.648{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514BBB9E3C1FE7D7170A4A325FDF9BD8,SHA256=515D0B5EC53E2EE8924A37007E7B25F4F859CA2F5A497F877443453581C3D7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:25.678{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C717633F6669C855813E710E836EFC,SHA256=19545650C84B92802A6058EAC9F98FA0A30A9D655E5789FCA4B34BCC30EAE6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:26.678{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA259337E7FCF564AD03F2C4BCBF2DFB,SHA256=3EF298DAE4547A65CD1843E21C6042AA0520A3D2B0B11AA47362B9F1BBC76EEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:24.736{15964E91-067A-620E-EA00-000000003602}944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-72.attackrange.local54675-false10.0.1.12-8000- 23542300x800000000000000035249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:27.692{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F2B3E506EE6515F1EB0709F9E1E721,SHA256=FBB5C542B4E480EFC81303CCECC7F5076D12F5BD7F3BA7286D7A5EDD59F343FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:28.697{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC873F58AA813C4BDB33E0F16CD07AA,SHA256=06D6FE9E5D8BAD378512BE23020B1D11A7CCF7462A15E42C80217BD7D7174191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-72.attackrange.local-2022-02-17 09:29:29.733{15964E91-0680-620E-F500-000000003602}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0893D3C8611415F0B0323E70FFB9A298,SHA256=4DCB555AA54599FBBDD87F40F79970E8B45526F7F53F0406F15EAABCA2C12BE1,IMPHASH=00000000000000000000000000000000falsetrue