23542300x800000000000000017186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:46.363{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4689334E33D8C93B4847C34C4AFB3ED6,SHA256=7F886516B0627DCD35A21972ACFBCB978B34FD42F1DE85B9540F7EF9E48903F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:46.510{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78343FBAAE77AAA4D51A8B5DF643461D,SHA256=DE12E0857D41872DD0FB58793C9881FA3FF2AB3382B763F21668D16D3A0F925D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:47.543{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F9E793B3FBB388D4845559ED8AE3AE,SHA256=2078CA69FD9D5E4814874C09C34619F68EA779926E23C6F304BC2028601F35EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:47.368{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06B9C2440F72F5741E1AF2070D413CA,SHA256=4CE0BEAC7148974B4AF8AA8B251F2A1874D9D32E604EE4BF0A0EE35E41A5D971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:43.499{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local57898- 23542300x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:48.567{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF423EFF5D5EAD243A9DB329205F088B,SHA256=3AAF9B8A836DB4BA43F1598F56303A67FA6666B23F890DBBD701F716FE3149D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:48.399{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18FE9E365C7F7C2E6193A587FD7058F,SHA256=8D82F61276C60B29B81EFF207B81D2591ED6B297803D1424084BEBAFB46667C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:43.684{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:49.415{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57AC016AF21CCDBB8A82322B4BC9C29,SHA256=5BE92E6B712A8704152451D04669F712924CA13D4D7ABDC8F3549827436EA63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:49.602{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-064MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:49.602{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D511DCE4E41A22406671C47FC25EA6,SHA256=A1AF9C649A17BC98C5754D7335D9E56FA429B2F7911A3587EC94855D24629771,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:48.433{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:50.618{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA735F62B1FFABEBDAD3D0FA0A95411,SHA256=65E1158953DCBDC6FC46E506C79FFDEB4EFBE878A96B86C5332C349FB6122DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:50.616{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E55388F670B03C6E75AE1819C35755,SHA256=E92D843602FFB3E6CE3B2AF4CCC260532F4AB7A33C0360D1AFB223992E00855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:50.615{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:51.665{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD52BCA33996CB86A52C082B4778FF2,SHA256=56903C401431AFED3D3E7C83E09BE134A58AB6C93C6B00AC750C7E92F58B3408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:51.628{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B144EE55725EF92BBE199CBFF15D11A4,SHA256=5F10339CD73B0AFF450781D5393534F9CA717B779441354DAAFB3D17E290A005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:52.680{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70064B89E691BADA1CF33B1C4DD1AAA8,SHA256=696C5E0AFAA7708409BCAB33663354F9C0C65C8E65E89CC9FBC9E675F86C33AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:52.844{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=11B006DC101377CFAF2C3D1EDCD067AF,SHA256=061A868DD03FB73838E7E02F5F7A933D98A38385B76E43056F8D743DE32CC40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:52.665{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4227716B1063E8C0D551C4A16BF91DB4,SHA256=ED3743DEDEDD0AE4CB0D5429AE3921DF523D4C0B6E7782E3EC674337B226C1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:48.753{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:53.727{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDA4363C2B59E1E79A7D000CF6931B2,SHA256=7289E357209ADA613471C2B579C30BF5447372A6A4AE3F1AEFE163ED94B2A3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:53.680{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D535332FBEA0C538105FD789A58DC816,SHA256=2D1689BAD41101274F374F285F929ED359CEF62546A658448E34F08F48C52677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:54.743{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C3DB1F7F83A918D933B64983458CD6,SHA256=3C1374AC15004CE36899A931C446E8AFAF212EA5DFDFC61D9548ACC248D446D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:54.695{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE84999591CE266B7FBC19DFFF3C3563,SHA256=FF64634D410AC0970DAF68DC866173A9D620FD9A91EECD94B7FAD49408E95F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:55.758{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCFBCE9B5D4781C0E30A75CAB25690E,SHA256=D6CA714449A3CE98962A9B0E45CA2B7537FBB9D954788D2B5CB5826ED3826050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.711{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B4E2598DD209AAA06C0DEA835785E0,SHA256=1EE9CA18AF3C4CE62C692E114AC4154422DE53078B254578B33023A9575D1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.443{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.379{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101434MD5=1E19D534A104405C176290CB78A9F41C,SHA256=DFE0262CFA910F339F46ADD3428CD263D925223169188DB8EB4172EE3AC2E007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:56.996{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-052MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:56.760{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9AAF11644175C5C863A53B5CC99F7,SHA256=9A9806D0E7AFBA68E14455433D91EFA32BFC06BE0ADEB90C68323735FF74069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:56.779{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:56.726{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986B94B44C2076F2585BC07D710FAA27,SHA256=D9D941C6215D52674EB5E3F8013A1F26F90B420D2E0ECBD1C2F405B4DD08EE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:53.464{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:57.790{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB91F3C6BED6675065FF3E6373721B42,SHA256=C53C1446D11915C33D7E76C2260A1F4BEA3124A267BFE65594A0F2F18548CBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:57.727{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF9957256C67F1ABB9235CE4488B9E5,SHA256=6BF0F50D1D7AA0E7A8ED6D33609C9AE4E9AAC2D4401979340316069CEB67E616,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:53.799{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:58.746{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A972A0666A0074EC9035E4CAE5D06072,SHA256=65B05F489FE3BA177B34934F808E584048D5C9B8011F6489F6995EDBE9F47DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:58.010{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:59.763{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CCAC15B4905AA2326B9FD2F27D130A,SHA256=35ED070AE5992FDDCC0597588B8E468344B6ED3B93602E4454E5DF7D96CFDC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:59.024{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D676F6BB80B00B1546C8D7EC10E5C8,SHA256=E995C552693669CBA607F2E8F56D2293E3E7F2BEC9893B40C9DCD087670860B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.367{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:00.227{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208D595B4AF9F1D746E719027DBF3528,SHA256=54A903A1B51F02D69EC73055B2E1DDD50910B5D67FA364F82F7B3CC9EF3ECFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:00.794{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF35BBC605D7D7BCE2BC23E70FBD219A,SHA256=5FD6EC266E41D93FFA495DD272B7E959E69B723C4AE2E68C832028091A4F2285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:01.809{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9D3EA4AA8886059626D0098DA9B75E,SHA256=51EEB9B5B8BA8AC1E39D3A852E444CEDDD670A6CB2613AE83E1BBAE0E72CBF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:01.243{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774CFD2026C566209CDA233248767351,SHA256=24F34B2FF37B49A29DF49626835A16621F75325634E14AE31201F0F80E744CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:02.811{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5111FF3ABBFEE0887E0AE491A6CB68,SHA256=5308BC9A3CDC4C596D61726C20468624F40F39DCC347E1B9BE0DC544665DA35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:02.259{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF25C485E1BCB17D12F297ED864D84,SHA256=209CF964523DA833A67F1A3749182CAEE8BB2A4B71C51EF1F844587F17A1E36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:02.395{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101434MD5=8F366F9F677889D18F9B69CC5F4BCC8A,SHA256=BEFA59E8A112D10304C18B163F6D289A2C1FA3BFDA315DCEB16880ABA69F5308,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:59.417{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.826{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A7007D87012A15D45C3F9CE72363CF,SHA256=0C728043397B179C9DCADDB19011109F65390D5B5ED0162956A367F3B110C809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:03.305{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409343B1195FFA9D1B6A3538601702AA,SHA256=EC91175D8290EB9599C90359B7DAAF610E8AE5C929008C14ADB2DF28768DB41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.295{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101434MD5=E332195D8BC167CE195E6AF0DD04C245,SHA256=D739DB732AC65FB243D788E98B93494F6B7408A4E6A6971557FB158CA100C3C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.279{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.bat2022-03-08 10:08:33.213 23542300x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.279{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.batMD5=9317991E7E62982FA04F6BC78530B5F2,SHA256=D32156CBEA60C7C173E58E9543C6D15BF7A128E8607C73E4E9B2DA57292C7D47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:59.765{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:04.321{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD0A0EB960C962A72FE9FACFFB5A427,SHA256=3977002856FC8307E0CFCC970BD042F4E5A24DB9A941824AB6519597CF8C9A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:04.848{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D72DABDBAC614141C402E42B101E3A6,SHA256=9BAB8D3EBB6756D7B4172F5C4A868F0FB0371749747B4B909A736CF7D0273A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:05.864{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011C1365047FA911A9A4CC2DF43858E7,SHA256=8B8CE3D16516C8192F25DEDA5332F542BE4B863A92BD958424D70E1909BF9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:05.321{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7BF95DC41098427C1815A65B9F15C,SHA256=D0B071F9A02875C2184311E5EC9F9119C8F4D1A874B36C616C412986DD6C8294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:06.864{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8C2B444421309B7E3603B930C1D2C,SHA256=5D18383B8FEF40B444C51F8E76A2B9B95DAF4C9F06DD843740A495022032C561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:06.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3FA289FED61C75B2610830CCFD3CCC,SHA256=1C46D50F91050974680DED7D83DD6FF0C398A21E081668C9C4460303D48C50E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:07.879{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9295B469A440CDE90826FDB4EB5AC932,SHA256=3303671014AA5DF71338D888127CEDB144AC97186E89D6495AAF4606ACB8073E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:04.495{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:07.355{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556482B940D4A9723933AF8AD58DDE78,SHA256=ABF3DB1C3C9E92E5EEDA7BDFDBBBFC1D6A01A921AD01045EDF10C260FEB53938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:08.894{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B40AD790455516E487A1579CFC82E48,SHA256=CA992EE0FEB1F907E6D2CBD3B5BF0637BEC45F5C9170731DE27404E172FCC418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:08.371{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9308188C9B20E94C0248DB174BE91A,SHA256=E02D5DCC1F35D36E65C5403B4AE0737EFD9A3EF4618ADE08E33E282DB24B4C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:09.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78168CCCE189B8ED56FB9D17BDC2A9B5,SHA256=C6FFFB36DDE0A852183481269E6330AEE7D2F553D17013074C679C30BBA2780B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:09.914{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38B8F51BA616B9EE59A9B638D4CCD8,SHA256=34D9A397CBF1F675D3D65A213F254322EB405D0E85F93D7AEBC89268A0A0414E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:05.699{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:10.668{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C092AAF38FF024729E90C125CCE25E,SHA256=B0E36E3BBEAA2020758989CF79A57CDC45D46CAB24FA69A0FAD011E9CA32D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:10.931{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98A7D638C9FAA0A12D2A90264160B62,SHA256=C354E1318594F28BB58C6270732006669241F1666A5D66D8FC1FA54D572EC09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:11.871{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11E94D797EDBD11B81816A09969127E,SHA256=1CD426A7E7AC807877A084C620D6355C4A533040DCA7C848B467484F5BE7E393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:11.950{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4674048937ABA872CDFE4C931BDBE0D,SHA256=3416CCD64128D55575FB14F1523800A90A80211A03946B0E0D9ADE4CADDED759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.984{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9481220680DC162E4280554A8AE5E3F2,SHA256=178C903C5CC6BA1A2112B2454553A7F37D33FB612CCF43D2CC384C93AD5DF7B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:10.326{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.399{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.399{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.399{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:13.043{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C93030BC2307FE9DFF01DA82C76452D,SHA256=9AC2E806F9A683FBAA6D716A310C7AA0C7F59858B15C2EC74CDD08983CD6511B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:13.415{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\aborted-session-pingMD5=69E1209F2F7EA451F9529140AB56B269,SHA256=468D2E6A051D8F1A40EA39B3E1CE9A79D76D4761F30409739C40AF73DAAB5347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:14.058{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A504D8EA2795A3AE346262E12792E,SHA256=033CDD0E13185395C4D94375476BF9EDD21C16179ABAB671169253DCA1048AA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:11.690{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:13.999{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A693E7E3D0D01277C7D15CA392BB4D88,SHA256=7E532222944FC6A55E3D09A986BBBE972D85F7893887384282646B6ED8211CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:15.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23354344BE157B3F9DA5A6EA2A8298EE,SHA256=33E8A72E224F6CBBF4B671EA6AC9B03D376FDA34EAF1ED0D2A0200F1C054CABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:15.000{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064BC5D41B8ED5B4B1529F5095F3CDBC,SHA256=B5A799F93DF0F46AB7BFE4A708477D16ED83E0516778577FE6522D084E82021F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:16.152{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CAE5DF98197BE5D97F3B4B92FDF838A,SHA256=F96613918A12F277800DB7107DEEC75AD36D04B2087B86E26F9A201D96D3F753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:16.414{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=3222DCC7C838AAE7B1781FAAFE80C377,SHA256=CC61DE33BEB515E10C05F3E32ED52A7857154385F951A922654DD4193B5D04B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:16.015{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18933A34942CFB91B2D84B1F0E9B4082,SHA256=6DC3BE28CE365756E75FAD902B58C97E2D50E1BC7F62F06FF383AF989E228FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:15.483{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:17.215{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA656BA57F3EA98DC3A21DA6AB11BA4,SHA256=C4BBC3D3B6347EE3A7886B46891FB5498B8B9B9294F360D1D1B2BA694F5B653D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:17.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F685E85D9F773BED501C346C1495B0A,SHA256=1A6257C78372C1174F4F5B684D11A7469D72CC416D0B27460C8D08C5C57008B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:18.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861D5C041022F236426ADE5694E27EB6,SHA256=CDF028CED29582B2DFCF0B85B3A53950DA8B405C08EFDFFF5D332F52D9DE6DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:18.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E232BC675D727C7A32FCBCF8C2321C,SHA256=D2C8814412A4D3046C3F0EF536BBF22CBD3FC781E2E688FF0BAC43340BF9D9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:19.684{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B63F1BBF43477EA34863696A387938,SHA256=18643A5F2927E0B5B8C17807BAC86FA94E91BC390C6A1A2A1FE2C58900947A3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:16.732{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:19.032{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4A1099402F61CDD78CA472F35AE9C5,SHA256=24223B54DC1775B06A2CCB093216DA1C85F6A12103C87C394E3ED97777CDBFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:20.699{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014254A410B2A83A993FDEF1C6043D61,SHA256=92233F7718937A29566D8CF49C6841A1DEEB27C3665CE0B1DDAC382ED3181346,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.502{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.033{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6258F6CEAC4C334DA21F5AD0ADAD5F,SHA256=6866585AF5431A2A5A43DCB503BF20DDE79CDC312E814E7D5C55783AF7247C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:21.699{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519B69AF9C1F1827860D104C29E59081,SHA256=ECCC9EF691E732ADFF243CB298BDA56F2207E172B8B9D6356F177D30333ADB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A105DE881AF49C2C349D671F62E7EDCC,SHA256=5E056C886335CA1EB9ADAEDD058151B913D2D03CB3977C64C5C13E91D7EC5BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7620B58072FAD5D507BF06105D3E5F39,SHA256=4EF2E8DA239691D6CE823B8AA2F5D7FFEA4F7DA7EF9CA596EE1E676472550F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.301{C64CDE3E-2CB9-6227-7D07-000000003602}46483544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.119{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.053{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E4F49242A1A57D8023EDA38F8E8CDC,SHA256=B900D1B2EBDCBB7C5181BD9B278822A6E11709639C71A4591005A83173FB34B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:22.761{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57C827641C744EE41217A0FC3601640,SHA256=5C5A8DF823D98AE0BB9663376B6E3BB115C7D9577A5E7FE1BE3599956BCDD3EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.607{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.116{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101516MD5=CFDB76C7F3FE01B2084F98C394FBC90C,SHA256=2CBA73062228575319218C0ADC3E7523188CCFF173A7C9CF4BC2181CBA8577E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.100{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.bat2022-03-08 10:08:33.213 23542300x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.100{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.batMD5=E332195D8BC167CE195E6AF0DD04C245,SHA256=D739DB732AC65FB243D788E98B93494F6B7408A4E6A6971557FB158CA100C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.069{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CFCBFD2FB58278C5E82B44CCA981EB,SHA256=6E7645D662BCF164DA2277B50C2536E45F336D484EB6C79B43DF8426E1857208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:23.902{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E70F2C4648C18D34C40DD17B0AE4EE2,SHA256=04CDDCAE9B281742046D2302E97D63B59407D3CAC599B18DC08A7FCA2144CA41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:21.436{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.606{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A105DE881AF49C2C349D671F62E7EDCC,SHA256=5E056C886335CA1EB9ADAEDD058151B913D2D03CB3977C64C5C13E91D7EC5BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.575{C64CDE3E-2CBB-6227-7F07-000000003602}56246624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.421{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0091DF85725C3CFC384589BF65B3D6,SHA256=27BA94052BAAE7653C7A420F4317CAD4C27271E992C7D548E26A1C678CB62B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:24.902{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2505C18CD2083F22A6B9BF09B8E2AC3F,SHA256=3BD50C71E72F1BEAAAC38FAF7B67ACCD9D1FA6FAD3D81203F98A75BE866D294B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.692{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local50991-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.692{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local50991-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:24.405{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA511D70DE91B469C8F5DF8935D824D,SHA256=F9017FF19A665C027C0FBD9DC205031B56993BD6406B3A36486D56789F82DFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:25.933{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7849F8952850C7674FB85894CBB71F35,SHA256=45C70A756AE853E2A03BF6FFAB969D9BC4554709007CC012010B1A66A813AE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.854{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:25.436{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496A0B926921296EB5D33A3E7D3441F3,SHA256=678519B2EC9A060D603FC636CB35F2A5BA2B875E30B5E7AEECE601BECF5CB52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:26.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC2FC331EA7B17156B55B6FD7616925,SHA256=0E3591D5292297994DE54B871E627ACB6CE23443C91F8032FB1AA50F1D7A83F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.937{C64CDE3E-2CBE-6227-8107-000000003602}45526424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.685{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.685{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.685{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.622{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.437{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D928CDADD05CA1851701406E7BDA1921,SHA256=8DF1F7A47D231AC337C00328E1BADC13C24A71208E2D9A35DC0644627B3B694B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.374{C64CDE3E-2CBE-6227-8007-000000003602}28326488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.122{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:27.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983CB7F83B715ED1D5FB98F2C3A7918,SHA256=8EBC4833A1C536DA474C4B2D3EF1C57BD39F7D39C12C970FE250FEC1E55AB5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.459{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BB00E583DE879E2CD77786BDDEEEC,SHA256=B5348BA9EFDA79A96167F682A3C8415BCA32C990D87F9068CEDEF6059095461B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.307{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.126{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E5B86234AF0D22F589E1A369A664C2,SHA256=9606F707E6A57C623F7FCB7FC9CB3A692566029BE55995297137EC204E1A916B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:28.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481E036989A1A676E9C6296992320E66,SHA256=6EBA445DCB718BBD22A731E80BC02FA221A4DC38459669B0AF6891BA077AD9ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.727{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2C51-6227-7207-000000003602}3844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.639{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2A65-6227-3407-000000003602}7164C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3fcc8|C:\Program Files\Mozilla Firefox\xul.dll+847632|C:\Program Files\Mozilla Firefox\xul.dll+83b7f1|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.635{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2C51-6227-7207-000000003602}3844C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e3ad48|C:\Program Files\Mozilla Firefox\xul.dll+e291e1|C:\Program Files\Mozilla Firefox\xul.dll+42295e4|C:\Program Files\Mozilla Firefox\xul.dll+244e3d0|C:\Program Files\Mozilla Firefox\xul.dll+97f5ae|C:\Program Files\Mozilla Firefox\xul.dll+942851|C:\Program Files\Mozilla Firefox\xul.dll+18b9dd|C:\Program Files\Mozilla Firefox\xul.dll+982a97|C:\Program Files\Mozilla Firefox\xul.dll+4385786|C:\Program Files\Mozilla Firefox\xul.dll+94b7cf|C:\Program Files\Mozilla Firefox\xul.dll+94e4d1|C:\Program Files\Mozilla Firefox\xul.dll+94d2ae|C:\Program Files\Mozilla Firefox\xul.dll+94c631|C:\Program Files\Mozilla Firefox\xul.dll+956664|C:\Program Files\Mozilla Firefox\xul.dll+8984da|C:\Program Files\Mozilla Firefox\xul.dll+82d577|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8 23542300x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.531{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\formhistory.sqlite-journalMD5=8D0EBE12A0F16D3FE292A4FB91A098E0,SHA256=0DA5028350D08ED64B935526DDC8449B7C569EF59DE6ECCBAE268678476D1CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.463{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4F2AEC4BE06B7BEFAB8AF293953A3,SHA256=4723A3A534CE2F62848EA10A56E39644383CF1E4DB7B106C5C33A5181DD9D43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.319{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4056AB865DAEA66FDB098AE7F5B80D2,SHA256=C07404689E40A33576F59164434D289A6EE31EAA0CF3EEA897FABD8B92EFCA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:29.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E779AF16DBB09FC3448B4B386CEB3A,SHA256=63675053664E84CB030BC2DF1228560153CDD91BCC99E225587A9FA9466F124A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.844{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.841{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.823{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.823{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.799{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB0DC76AB0A2F424493C1F1C43B8F2,SHA256=795F666251735340975B61CEF44E6182CD16B8EF9EA392A02B91DDB410D90682,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.787{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-18C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:29.787{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-18C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.775{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.773{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.772{C64CDE3E-2A1D-6227-1907-000000003602}288\chrome.1268.54.53014384C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:29.771{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.54.53014384C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.770{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a01f4f|C:\Program Files\Mozilla Firefox\xul.dll+1a007eb|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.769{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.53.61886314C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.764{C64CDE3E-2A1A-6227-1807-000000003602}12685064C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12034b|C:\Program Files\Mozilla Firefox\xul.dll+120e94f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.761{C64CDE3E-2A1A-6227-1807-000000003602}1268\gecko-crash-server-pipe.1268C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.721{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e2b2a1|C:\Program Files\Mozilla Firefox\xul.dll+e39418|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.721{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a1cff|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+1a003ff|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-2A1A-6227-1807-000000003602}12687036C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30dbd|C:\Program Files\Mozilla Firefox\firefox.exe+2ffe5|C:\Program Files\Mozilla Firefox\xul.dll+205d28a|C:\Program Files\Mozilla Firefox\xul.dll+99dcee|C:\Program Files\Mozilla Firefox\xul.dll+99beb5|C:\Program Files\Mozilla Firefox\xul.dll+9a2b2e|C:\Program Files\Mozilla Firefox\xul.dll+839abd|C:\Program Files\Mozilla Firefox\xul.dll+16c00dd|C:\Program Files\Mozilla Firefox\xul.dll+16a857b|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+83cb5b|C:\Program Files\Mozilla Firefox\nss3.dll+69cc|C:\Program Files\Mozilla Firefox\nss3.dll+8f2b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.713{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe97.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1268.53.618863148\929732729" -childID 19 -isForBrowser -prefsHandle 3692 -prefMapHandle 8432 -prefsLen 14746 -prefMapSize 242229 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220304162637 -appDir "C:\Program Files\Mozilla Firefox\browser" - 1268 "\\.\pipe\gecko-crash-server-pipe.1268" 2428 290f034ee48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412LowMD5=8EED02513FEE9651AB53BCE69398DDC0,SHA256=13266B71CCF68ACF0A7E954942FE2AEC9DE087BC7074D2D86E0FEB93820752FB,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.703{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.703{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:29.694{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.53.61886314C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.116{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local56417- 354300x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.112{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local56666- 23542300x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.527{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E867BC508473449C7D7262E391921,SHA256=5EC8A044A1F43C38D0B45B334B492368F41743F3B91AF6E4245EA395436A0F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:30.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3A91EE8B3C9CC3A4B7426D9763F7C0,SHA256=C1C53966103958606B31E076CB8C93832A052F28CA5AF57E5FC6A0392C96190D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.473{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51440- 354300x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.459{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local55384- 354300x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.413{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local54974- 354300x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.410{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local52256- 23542300x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.783{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73DA702BAFF11ACCF5F8000CCC886A5D,SHA256=C4941B0356F25CB189D43D499C97926AB0A8CBCC8B37DC0FB624A8E4619E4933,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.745{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2C62-6227-7307-000000003602}3648C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:30.645{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.56.185761324C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:30.645{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.55.179398687C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.028{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local61021- 10341000x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.624{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2C51-6227-7207-000000003602}3844C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3fcc8|C:\Program Files\Mozilla Firefox\xul.dll+847632|C:\Program Files\Mozilla Firefox\xul.dll+83b7f1|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.615{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2C62-6227-7307-000000003602}3648C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e3ad48|C:\Program Files\Mozilla Firefox\xul.dll+e291e1|C:\Program Files\Mozilla Firefox\xul.dll+42295e4|C:\Program Files\Mozilla Firefox\xul.dll+244e3d0|C:\Program Files\Mozilla Firefox\xul.dll+97f5ae|C:\Program Files\Mozilla Firefox\xul.dll+942851|C:\Program Files\Mozilla Firefox\xul.dll+18b9dd|C:\Program Files\Mozilla Firefox\xul.dll+982a97|C:\Program Files\Mozilla Firefox\xul.dll+94b7cf|C:\Program Files\Mozilla Firefox\xul.dll+94e4d1|C:\Program Files\Mozilla Firefox\xul.dll+94d2ae|C:\Program Files\Mozilla Firefox\xul.dll+94c631|C:\Program Files\Mozilla Firefox\xul.dll+956664|C:\Program Files\Mozilla Firefox\xul.dll+8984da|C:\Program Files\Mozilla Firefox\xul.dll+82d577|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f 23542300x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.536{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7959AA244E9F25F6FDEC385AA13D2A8,SHA256=F1FE6B3D9E19BCA752C1E7E332348CA1BB0E13E7387E78588AA2FE6C0067D112,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:27.299{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.442{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\permissions.sqlite-journalMD5=06234356CCCD50A1B0359A6D8FDA5FCA,SHA256=8A8F747CA0C6CA804A32B3BEEBE5323E5884AF0F9722E59964D47FE23A0166B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.697{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:31.968{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4360FCA8EEE3A1668CE4A0CDD4E6E196,SHA256=89E8C02D3C5DAC4D29CECFCC115F0AAA9FCC18CB5903E57F7E2286E300BCF906,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.316{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local61011- 23542300x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.847{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6B47357B130724D3B2A3BCD1C2ADCF,SHA256=4566D366879BDD20900658F48A32411593FA3E95CD727C84A6B995CD8157ABA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.726{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.726{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.711{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.711{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.693{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-19C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:31.693{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-19C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.678{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.678{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.675{C64CDE3E-2A1D-6227-1907-000000003602}288\chrome.1268.58.74734499C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:31.675{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.58.74734499C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.675{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a01f4f|C:\Program Files\Mozilla Firefox\xul.dll+1a007eb|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.675{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.57.201083622C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.668{C64CDE3E-2A1A-6227-1807-000000003602}12685064C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12034b|C:\Program Files\Mozilla Firefox\xul.dll+120e94f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.668{C64CDE3E-2A1A-6227-1807-000000003602}1268\gecko-crash-server-pipe.1268C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.638{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e2b2a1|C:\Program Files\Mozilla Firefox\xul.dll+e39418|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+19e0813|C:\Program Files\Mozilla Firefox\xul.dll+16bf7aa|C:\Program Files\Mozilla Firefox\xul.dll+1a0ab5a|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.638{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a1cff|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+1a003ff|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-2A1A-6227-1807-000000003602}12687036C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30dbd|C:\Program Files\Mozilla Firefox\firefox.exe+2ffe5|C:\Program Files\Mozilla Firefox\xul.dll+205d28a|C:\Program Files\Mozilla Firefox\xul.dll+99dcee|C:\Program Files\Mozilla Firefox\xul.dll+99beb5|C:\Program Files\Mozilla Firefox\xul.dll+9a2b2e|C:\Program Files\Mozilla Firefox\xul.dll+839abd|C:\Program Files\Mozilla Firefox\xul.dll+16c00dd|C:\Program Files\Mozilla Firefox\xul.dll+16a857b|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+83cb5b|C:\Program Files\Mozilla Firefox\nss3.dll+69cc|C:\Program Files\Mozilla Firefox\nss3.dll+8f2b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe97.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1268.57.2010836220\754842533" -childID 20 -isForBrowser -prefsHandle 8084 -prefMapHandle 8156 -prefsLen 14746 -prefMapSize 242229 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220304162637 -appDir "C:\Program Files\Mozilla Firefox\browser" - 1268 "\\.\pipe\gecko-crash-server-pipe.1268" 7860 290eedb8b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412LowMD5=8EED02513FEE9651AB53BCE69398DDC0,SHA256=13266B71CCF68ACF0A7E954942FE2AEC9DE087BC7074D2D86E0FEB93820752FB,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.156{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50994-false45.89.69.168cpanel12.coopertino.ru80http 10341000x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:31.620{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.57.201083622C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6BDEA0ADD5953142ECBF9760C2E3DF,SHA256=2F1795B3648B8D84EB997068A1BBFA0B931CA8A4FE5EC3359EA2F39E38F938AC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.476{C64CDE3E-2A1A-6227-1807-000000003602}1268adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:216.58.212.130;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.033{C64CDE3E-2A1A-6227-1807-000000003602}1268plus.l.google.com02a00:1450:4001:803::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.933{C64CDE3E-2A1A-6227-1807-000000003602}1268nodispappearancepage.9002-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000017240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:32.968{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E736604CCE7B4C30EEDE8E24A3E690D,SHA256=EA30EF15C99550B838C0532BB3D9632461A8A7608E58AB36CD85DC0597134598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:32.670{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2248910C756FF444914872C2A80D943E,SHA256=90A74A07A6935FCE90AA30AB573442CBF6EC6BC5BFB7A34F69FAC76FEF151AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.351{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50995-false87.250.251.119mc.yandex.ru80http 23542300x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:32.570{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339E8B12BD32AFE040CF96121E77F6D1,SHA256=414813B43FCCB6D0B5CA6300D5B4FB54F461FAC9896DA33410900A10AD4C1ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:33.574{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D832F1EDC97763E350AF1AE99ED8210B,SHA256=87209633F6A47DBCB18393299E96EB573FA9FC9F371572DDA83FD2E73FE2F01B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.500{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DCB9E6FC8E42F6F4DE3C5AC63571A41,SHA256=CD29B4842BA2DC7CC9834F96D1C5722D61D685F374EE3F295D1B9A4BE1FDE922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.297{DCBFC465-2CC5-6227-3B05-000000003702}39083524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:33.510{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qh3soqs3.default-release\cache2\doomed\6279MD5=61805A1CA2F41B4384A3B007E3D5391E,SHA256=FDF9433504A40C3FB693859A6C011F26BFD23F6E6E0D1DB5BF7D4BAC1E541062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:33.510{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qh3soqs3.default-release\cache2\doomed\20317MD5=F6D710BF9451F30031446AF9A25EE30A,SHA256=6DF4CCF72A9CE1B8DCF2DAE0063A0793D5ECADC19872872349E8B914DDBBD5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.618{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1366DB808069F8DB38AB31920D45DA,SHA256=7914B8F6103CD4B21564E0EE43648F1936F0357C8E422CDAE1BE4F638F5A33AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:34.375{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5DA42DF8D4E401D78C3D81F1CBE8A7,SHA256=FF9FCB0F9D272B37E5F6F80B6776D2A7F8D42668AC4CF285F45DBBE2EA1A56D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:34.375{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E764FC4F5E3061D0373374989A3E53,SHA256=0063BD62CCC3379A6EA2907DA1EAA35508823D5AAD783258B0D6A8C3F7E53C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:34.375{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61585D4ADA5813683983A15EEE1E1828,SHA256=5D9DA7DB5B365F0E70A6D9B7556593EE9860F3AAEB5B9FC9DAE9F025A809964C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:32.361{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.391{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-walMD5=C9167D921095CDDE82FD7E8E25F0B398,SHA256=7796199B38571A7625FF3AE51CA43321B0F438276F2F508E86287B8DED03D495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.388{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-shmMD5=5F28735FEB9621541AB9AF49F8C90ED9,SHA256=7F02F8BC22C86D51BE638AAE3BF1477F3F69B0A9D09E3D56ACB1DD0CD5BFD82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.385{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=88311F2ABDF57DE8FA129BEA6C5C4906,SHA256=AF86F9CBEC0E918A23FDD7498383A389778D2178D48CDD5EE130D50D64A81ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.371{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\https+++www.google.com\ls\usageMD5=C79689CFAAE446D53027F2869DD44ECD,SHA256=FFD2148734E3E67E2EA935AA8D62E80E28B842F2A5D21B6D1C01D7A8F80FD12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.917{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-walMD5=4733729183F32586C7C6347327D900EB,SHA256=AC15738EBE663F439B616064907EBB9925288684E488715B367C1345DEE7A4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.917{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-shmMD5=1A6A5BBCF3C9834640106C6C7BDC3D5F,SHA256=527E97F93C9EF1D69ADFDC9BA63673A1D5CCFA9BFCF2631FB4D98030F730CD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.914{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\data.sqlite-journalMD5=DCCEC7FD73B6EEE4A6D9E6013484714F,SHA256=196489359745A758D40D1E2AF9F859B985DAB8EC0064498A7AEE040B7901B754,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:32.754{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.902{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\usageMD5=C3C829AF6098150F438278D08EE93107,SHA256=79E1E72B72EBD9366746CC9C2A4852CB7EE2B4C7C626D1D800A1143ED24797FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.622{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728484FDDBC9EFE02CAA7048561D2A61,SHA256=FF2018127FD37BA876728FAD5CFC250F259BA794F17354699B83347827ED186E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.938{DCBFC465-2CC7-6227-3E05-000000003702}10921784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.704{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.408{DCBFC465-2CC7-6227-3D05-000000003702}40763896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.172{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D773E91D5066251FAFE1A8EFED82146,SHA256=E9BF8BFE1371794F3AD2EB73795F4CDF60948E30E0B9B73A2D5262C826654D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.446{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=3D0B69B3BBB45DF96AA8CF5E301BE955,SHA256=F31497DF8EE9F021FED17C60ADAA8A1FE95B4EE41E440C6121ACF9FD5D396AEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130D3FC5E3570469BB71B410FE93D97C,SHA256=1F9E7E952D9BC2F95FEF30BFDADE993DD5B627776CC91CBF305F6545F125FF02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.704{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:36.633{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5CE75C14CD20E76EE50BB19F35CE5B,SHA256=6B990B61F8F724BEA9BD8D8BC93B4DDE189AF4DAD247766CE50C4354FCA701F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.281{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5DA42DF8D4E401D78C3D81F1CBE8A7,SHA256=FF9FCB0F9D272B37E5F6F80B6776D2A7F8D42668AC4CF285F45DBBE2EA1A56D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.204{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.832{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0AF6D502A28EBCF60D1C126A4C541BC,SHA256=11542BF5AF86229B669E557E7AD4C2D2CB8B709B5C7E18996A0C8A78BC5C6C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.723{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5924704BCA9CC2BC8989BCFA5F9DE9,SHA256=25835C1FDD6509F014527CE6495927D843E0AA289A23F93D87FF4E9917164CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:37.638{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D226DC4AE5FFFB299FBFBC229B238933,SHA256=273D48BC64CF36A94448EFCCF42C75A5C95BB7F25A525CE5FBB995739BE5106E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.015{DCBFC465-2CC8-6227-4005-000000003702}4048356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.739{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05825AAC8A696EA30EAA2FCF4A7DBA0D,SHA256=8632B3A318D3DC5FC2A983B3158AF2E1D53FDCBBA2989057C05158A96B960224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.661{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE61C1F65C05E864B0C693FCA9C10A1F,SHA256=0ADBD893F477D2146C1B0D4CDD7484FB25E1589D408507B39F84621266426DBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.406{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.406{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.406{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:39.786{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF878E28617AF90ECEF8634F7E7A92C,SHA256=2E48B6675B5DB4414B94AD0AED5DFCD767963EEAE856923EAEDDB7F728B4D5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:39.812{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E075C36694C6968FA874C17503331BA7,SHA256=BD6DE966B6CC09528B6B54F3867733F706B392C26884E05AE98F8954CBF6F8D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.785{DCBFC465-1FE4-6227-3C00-000000003702}3064C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50334-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000017348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.783{DCBFC465-1FE4-6227-3C00-000000003702}3064C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50333-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x800000000000000017347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:39.161{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F89F09E8368183C6A7E8A4D33A016A,SHA256=67341BBC7054D7F895EC18F17F51BE4674539BD0C5D25668F95E00A454A8B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:40.832{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7092AEB003ACC0B97F067CCCDC7125E,SHA256=DCC609EF237711D01324678FD8067881DB79066781F55DEA0C242348A980E9C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:37.831{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:40.827{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD641C07B7761D2820AE9C64FB407A46,SHA256=4967F1DDEE1844A9B30F187FCE7DA4965B800F7508B3EDE3CF2CC34D2D3BEE4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.507{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:41.880{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C570107DE87402C63F257023D1E016F,SHA256=4F3720B410DFFAC1B7107E753FE4E42C0AA1CD961B59E2B47D32E69594CED8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:41.834{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DA7AE130B4F4C6645D20C67079E2EF,SHA256=EF6DF82E65AD95973103729CB15167EDE47E35E02DCA05FC62070A118992E0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:42.880{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47254D4C15259947D20582461169A77D,SHA256=A34D55B55B625FC9E6B930535DC14BDF8F5939260D247B0003D1186202F4DED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:42.911{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE34CA6719C68379F99A0F76C42A9555,SHA256=D8E6D9B5A3891274DF399034CD2BCD3D63BE8A433EFB536B949DA41A0F37D788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:43.911{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA681463B0E67AEE40CED5AB3D289B9,SHA256=86F241E8FCE67F72E5CE9FEE6E172BBA5A09A34E6E0870ED434429606AA9A608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:43.969{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB9F15D3EDD5377D6B4310D0A27D159,SHA256=F726AFBE662DE5456280AC10A44F059410209FCE54A3AA1F7BEE0DA9AD3404D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:43.903{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:44.098{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:43.335{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:45.067{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A46D24A2D5207CCD7DC0FDBF6543E20,SHA256=5867B2150D77105F5AF337AB3972DBDECEFAEB21930316987E62486A73EDEC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:45.036{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D8E0A7BA50C31951C335B71AC687E,SHA256=421A1BEEE8EC65D92C1A90CABF1E8EE4D25842A07DD82263FB0034B7B88DC7E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:43.460{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:46.067{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E53406C48F0B9DFD52244B84707814,SHA256=91B474F89204F1BE2D1AC1D5F7956392C10A10FC69D0685CD72CDB90191B08D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:43.683{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:46.040{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266FBDB62AB5E50F34EB598F0B89AB38,SHA256=E22D23D5E3F40C48D6BD88F1770A824D18D9A7133E25949C7C75E5E48BEA0DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:47.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C690987CDF43D771DA77259A44CA6357,SHA256=566A657B4FC86EC5543C2356BEE329E957CE80E97DF19E67035042B9D49BE089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:47.044{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54DA368CF6E9B22FBA9BB549EE374D,SHA256=ED05335D85C33EC2A58D990CC6AAA66AF6CF6F1C6A18036FD80F0714E45E3A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:48.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8AD666A401C70BF7A1215044E341AF,SHA256=1F1195580ACF5CDF9413875FA1C7A71D32AE326C8C62A1010AA361AAD6772D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:48.045{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D522F20018E79A66F646BAE59FE55865,SHA256=E941091D1EF09F5065A1EA498D0A4C3D6F9311E418BFDDD84A84ECB9E27EF9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:49.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BB5F9769C1507639C2A588D7E63E1D,SHA256=C562514D386603B889A1EC1B15BD3049409DA2A173636A1FA3BC63E23DFFEC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:49.105{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:49.050{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407D2A58607F4FE6C8DEE1BBA9BD8598,SHA256=771E65C913A88E185DC419FAA1383B463F2480E0F23204CCED348A2700A23789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:50.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E795CFEA2766744A7170C9D16C786804,SHA256=0AE8ED04A2BB1EFBD5A890A1E59D50E404050CE36FD2C96D5278EDE9B90D2B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.925{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-walMD5=251419ED6CEDF3BDA3C23E3F323AA48A,SHA256=9B1844082D2B1557426C1628F8CE55A3F0CC3E9C30C5E0E8EAFA113A2D71D4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.922{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-shmMD5=7BD44964D54E81A2F676B51166975DB4,SHA256=988B97BA013B6423068F6A84B0B9447052518DD74D793817FE4E562C4DA6A375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.919{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\data.sqlite-journalMD5=25DAA2CB5BD939B5CFB8EB2A199A578A,SHA256=21B790734B264A9BD692EB18C387DC9FD2DEFECC9915B60C81DD13CE9844816E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.904{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\usageMD5=C3C829AF6098150F438278D08EE93107,SHA256=79E1E72B72EBD9366746CC9C2A4852CB7EE2B4C7C626D1D800A1143ED24797FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.060{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F94C100E8986623A764E3EB7275191C,SHA256=640397B9E5E70B79E26834B1AE984FA8327DF37BE7382DC051649F19017C9BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:49.389{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:51.090{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8C7E154A7535371610CD0750348FC6,SHA256=B5C40DD0D621DDE85BFA5E74BC607AB7A7E0EC508CC6C112CE1E4EEBC03FC2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:51.144{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B460E3596F4792621C1F27C77145D6,SHA256=AF2E973A7B89FB527E9428336C0C0F921D187CA4CA9A0018D70AB91C9B9CD47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:51.141{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-065MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:52.121{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A6490576F7D2600283ADF6242B857A,SHA256=03DDC0E1FB25A0D6F2EF7D5C995818199DCF6131FDA36FD896547FBC7B8FE10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:52.849{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8B3F828540C59867C83EE36037F91F17,SHA256=BCB652DCDBB36943B012DD694189526F82F9F3B36316B4B30E9105BEF000DC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:52.147{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936F1C38B0FE4981B5BAE72A8B1DE52C,SHA256=A0294D0862E2494A10F019734EF754FC431C53AA30DD6594854ECC7E43DCC4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:52.141{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:48.809{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:53.340{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1322906752EA2029AFE77EC86BE2039,SHA256=E1F2EC8D77068828B923EA71FA73F224A9D6F6011AC76A121A0F9F2808B02F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:53.153{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603507B28FFF4FC24DECB134F61B4ECE,SHA256=DCA2268025EB72CE8918F21A36209A9B6FB1C0BF3BAFECB5E37B30000A224716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:54.355{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED49656D6DF3C075F1E9E53F545B07B,SHA256=F0C2F3AA9428E1DE0500AEDBEBC0E25A27654AADAF4CB4BC1F6EF2B87C357DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:54.222{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6DEC1A8685A2EF6A84CD1F16ACAC86,SHA256=32F0CAB61697A3A5DC81AA54A954F9579E0D858512FA51DF89BF12AE0BCBA8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:55.605{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC5F3D0D7B46A23750B26A975E39589,SHA256=D7186E97E6FA151BDBFC96785D1AEE60896BC74C24903D8E9A918D447B9B5F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:55.292{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C7E40429B70BF27FC87A810BDF2D84,SHA256=9C256949945427DB6A4E84C088FD91C6AFEB1F512B2DB22242AF5A0ACC9FE166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:56.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633E281151852DFB494CC6B3EB92E2A1,SHA256=47809ABCF2BDFE2539354B2650442FDDB89714A540CD53036AA928781192948A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:56.805{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:56.306{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB27A3A716F05B0B2B2F9311847CC9FA,SHA256=3DE60F037D67D469BE7212C00A00219BFB826AE9CE2B19EADABB4DFD85E33A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:55.295{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:57.856{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7195D87850A630BE0A702819146127,SHA256=2D000E4E62B31EE92B60CDD185301372C65D4DC7EF029E32CBD92FFA1A9CB693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:57.311{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF232BC1F9F98E8096F6D64D738D1D04,SHA256=B0CFAA965B008F7BBC4E740037BABA2E630C9442FE4D5C577291C71A01C8034C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:58.316{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13F4CA4930F4936123B437B145DDEDD,SHA256=B2E689A0D54C41F0C599BDAD573688E6479F84D0FFA536CDF14F9312CB870E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:58.532{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-053MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:54.716{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:59.532{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:59.093{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F75453842476FF193A3286EFB275002,SHA256=EAB78D591812D4E1C98CCFEA11EC20354FE54F1685E533641BD21106C506534D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:59.323{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5999699DA6FD9A55B30B7DC85AEE5E9C,SHA256=779AD9443CEEF67462F65A096CAF3AE30F4084E9B9202CB3B2BE153CAADC79E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:55.385{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:00.155{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B014049D558B83A9810129677E8AB3,SHA256=C68AE02B3E3878EA36C21EFD1EA0359B5171B8D20B634A7703AD4B490C95531B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.333{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7A66AEA3C4B61D56C9873DE83C93E0,SHA256=079B58660871F9AF8A99246B7EF1BBB9C45A52ABFC627FF6BF5AB30EBC2EC5E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.253{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.253{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.253{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2CE0-6227-8507-000000003602}4108C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2CE0-6227-8507-000000003602}4108C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.089{C64CDE3E-2CE0-6227-8507-000000003602}4108C:\Program Files\Notepad++\notepad++.exe8.32Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=10DB8FAF4926EF216BFFE922D653EA0D,SHA256=C505A5CE5CAF2C01B0C784A9F05889D9445067595774DFDC4436DC800ED47501,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000017378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:01.156{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EE738E5FFFDEE8E998A843987F039F,SHA256=BC2295665A4339DADDB6D7B0A5972AD30A1C27EF50E22D47BD4C5E5143B05848,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d832d5-0x83392f41) 13241300x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:01.341{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4A875D36391ACD37D471BFFBB52E9,SHA256=71DBD85832112DB1E67728D2AAD19C1423F53AF9A43FF12EC1250E1BB6F70452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:01.089{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F2245D0D82130AE8BEB49E0B81E9562,SHA256=80D0ECB4F1127C555E23C7621D97E8BBFDAF417A394BFC36FCC70AB445616A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:01.089{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177B0EE50704152537FB5ACEBA91F086,SHA256=60446B130F5A4E043F042C8671234210098024F399FA91A5C84514E257F3F7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:02.357{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1253AE77B0438E08F4D7A67CF8097743,SHA256=E76F6FB22B53CB59C2D78C290131E3B290118B2E35BA9DFD8C52DA1C0324D045,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:00.377{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:02.156{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1547EAA165747392D8EE120B3C2AE7,SHA256=4F2F9AD0454F14A6E8D0F870EFEB9625896E2DC0F5515427BE14FD0634F2B134,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.753{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:03.371{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0280019D5F3CE7E1EE9F2B0032801F,SHA256=8B00CB3F0770B0C7540BCA96D301BD174D377520A46FCDF0885102BF249CB882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:03.157{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C133F8F777FBBB56C783CC0BD15A65A9,SHA256=392C3822C961CD9DDD10F7964D835E9ACCAD615E049E7B9193EA9449B89C7CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:04.388{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00435876DB4F894E0CDF3CE815C29EF6,SHA256=AF6387C3189BCA685F2D17304CDA600BC9C27427AFDE75F45CADE9E689F8E94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:04.267{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA31527D67AA3E9FD4E535020C4B2F1F,SHA256=9971F8B881240BBE3C1A97F83FD21B368C7BDFACC1967FF542A1839301A60EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:05.267{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFC16908F2563C748861A939ECF2E08,SHA256=2E85282A61B2347E6CFA68439FFCE8CED8A810661B18AADD702160E6941EBFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:05.388{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB920FC8CF4E10F330E9B47BF07D29,SHA256=6AC60AAF3E91E4C10E0B59DD24F7721E1E0BFB5B31FB7A7BDF1A59B654F74857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:06.268{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AC18C47F80ACBD4FF58383133EDD57,SHA256=4E8D259E15D57EBA6AE0D4FE4746A60EAB36C94FCB0F8730AB507351D88BDBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:06.404{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF876BA41F018A8A55212FF29A055464,SHA256=1BF5DEB278E0A6FD4F8D5D7AEFC2C67628325098015F4E7698AAD787357F62E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:07.442{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A7AE28E2C9CDB29DDE29509BE950B,SHA256=9287A9AB962CB16FB97745484170502901B87309609F1AC6096DBDD5D675FB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:07.282{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE06060C935AB3DEC3BEA6E02F41164,SHA256=24A23896401A16C2A93592B73F67C81B283C7E9A835B22F5A368E0CD9B4DC742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:08.457{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0743BB048CE6442E6F22925B794B85,SHA256=8630409109F23B63D1ED1E08B85A24E5775B2B67B287059A9C6B6E96AC8B566A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:08.282{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE711424B737A96B509B959E7C68565,SHA256=4A2D34253236A67EB4C3E56B8939828296BFC2A1615BDC876C551A0F2E47A670,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:05.442{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:09.472{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D2F4E61917755144B94500B5CE1108,SHA256=C7048781A28B2EEAC772A4E94080DC3D5DE833701A58DE510D7A57C566BD9DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:09.423{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D958B29211423DBE339B2EE7B36D31BD,SHA256=686C89DD9AB7F91610BDAED27C3791627FE4F6222DFB63F6934A1E9746F72A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:10.455{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0140449139AE782C33B7682A6277202,SHA256=7C2533686CCAEDCAD6F928279E6B9922AA21B9426314CD30677060EE13AC20C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:10.521{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4A80DE05DBB8B0223DCFBEBBEDF66F,SHA256=3C9B1FC451150A1A6CF38514B60A538D3E1E2FDB1306125958100D99001E697D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:06.671{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:11.675{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944B227A742903145381B51BF9F84E68,SHA256=D343A3DC168FBD50251C3A64730FB4E431613B6968E68A3AF4310567B20DE961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:11.540{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E247423ABD49DF490C9C7F67704AE352,SHA256=0F852F8B27054BBFBFE82B4A2AE775CB80AAB162E25D9E5154331EF1766E26DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:12.769{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0C73C43B28E259B3A8A1D0FF5D8C34,SHA256=9086B154F4752C418FCAE893AC0FBB41503585A288DE648C4DD6D84642727063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:12.555{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4A855CE1DB0B76ED488F983BEE8EA4,SHA256=5EE3E7715A383610BD179258C96BFFB0D597A355A1613F1C68628D686656E31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:13.957{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585070BF337DF015777B54A30B2FFF4E,SHA256=A781EDE89AD376FC77311A83ACC43776E0E845805FE7668A676B22CFDC56D1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:13.556{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3031E17B95CB7766837A897F37D2D82D,SHA256=A1D281F3B4133E7CD5A04303460B7E2342A28F04EBA6ABA62E137331B86D30AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:14.587{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720B151C8DE69E8EAB5A687DE4ECAF67,SHA256=90E3ACD591C7E8DC0DF4E4834DF78F50D6DCD6F2BB0E47AAF09211A1B3E3E60F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:11.349{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.871{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.871{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.871{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3eb76b.TMPMD5=64FB9FCD78FAB0ED4E13FDF8E97F1F05,SHA256=7B76CC0C5F789CF638B4ADD18D721569F8C707C2DA260EF14EB7E4CDC324AE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.620{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33E9534E912B3477130569560AE5CBE,SHA256=7EB61DEF63F7A25D7E2D16C0EBE93E1630C1098B3747B0D7C1D2A3CB185B8583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:15.051{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B2D0C0E3B3D033F4A0963B197C3B3,SHA256=DBB2E07D689393CE98224CB8155475CCC2E339681E50F68F45BE85E43B61473E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:11.838{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:16.839{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:16.839{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:16.639{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173A3FA75C147C3066C60AC58D176247,SHA256=42B90278798E99506AFD40A5739EAFE777412D2CA44C37A473D0AF03B2892C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:16.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A783DEA9F237CAC6C2847C6DD04DE958,SHA256=0C2B5F768AE39ABFE8DA806F449387C8996D55E571C71C50639C2DF6DCA91E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:17.702{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91163876ECE2AC28F066FDDD751D1475,SHA256=3C372C4424C2315149653B11A42424EFC63055AAFCF15F53BC2878A053AC1616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:17.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79CB04A7257F1DBFB7271B03B8D850F,SHA256=D89C6DC62B0B6A4FB80BE145B056FB93333494ECE61BDE5C69E4DDF07DA3D49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:18.702{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833309346E79EA50D1961078C072D374,SHA256=4A8C126DE8E430904315031DA6BBEA2AC29609D5E42632B7728145C94907A314,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:16.367{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:18.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5ECF18AAEA7C4DB8066A1D133CF006,SHA256=AA54D853D5872356AFFC196AD61ACBFE88E67FA7D4FDF789185980929125E822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:19.721{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3618C12739C598A1CAC74AAD3F595AF2,SHA256=003E246785C3AD9B3427E96253FDF5B507B2A1C3A334B17EA258A2A54AD87E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:19.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779C04A07AE95B1E82B0825C7D9F5AB4,SHA256=FE31D9C903248E7E21731F2963E3BD737DDDCDF0FBB5B2041D25CA4DF03883B2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ec565) 13241300x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832cd-0x2b8a8c9a) 13241300x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d5-0x8d4ef49a) 13241300x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832dd-0xef135c9a) 13241300x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ec565) 13241300x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832cd-0x2b8a8c9a) 13241300x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d5-0x8d4ef49a) 13241300x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832dd-0xef135c9a) 23542300x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.738{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872ACDE9CD8D393E519FC8D185D989E,SHA256=FB2159CFD397AF895A1E668F99A7072ECC6BDC76963DFA0BE1506A49EB30560A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:20.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743C58CAC409EE97DA1E84BA7E47306,SHA256=9B89EE67460A663D1275A78D8885548E3B92969122B2ACEE372D024DD5C14259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.539{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.753{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D1A16C0D31252F12D74909BD238093,SHA256=6FAA2CF183F0A19EFFF77DE39F072167C6BF14430F5CCE777FDED82B00DB0C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:21.193{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFED60A5BF57A0E03DD5E55036136F44,SHA256=EBACA11FBBBE7242F30BA22D7B5032C8B6F8B2AAAAF4122352F1653B82FA9D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D718E80AC3BFBFA92D94DF1E9CEF7EC,SHA256=37F12988A5C09C8D40B0DF8B290689321883A3882C7D0C23621AEB6926205B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F2245D0D82130AE8BEB49E0B81E9562,SHA256=80D0ECB4F1127C555E23C7621D97E8BBFDAF417A394BFC36FCC70AB445616A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:17.751{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.300{C64CDE3E-2CF5-6227-8707-000000003602}32764932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.139{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.755{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFA3DA39B645CC8542B4AE66126251B,SHA256=ABD7905FCC8AF33D5EAE52EF396EA4C99CE7382EE49E3A456791284745817B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:22.193{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89B1623FB79B9D5147CA00161DAF4B,SHA256=E35DB24AAC395411205B68A60DE2ED0F51BBE1D53E323FE4D7F3B8F1AB0D5479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.622{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF6-6227-8807-000000003602}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.620{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.620{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local