734700x800000000000000098346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}9642708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000098342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.697{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91FDA6814C499E75A5094CE6480AA7F,SHA256=4D0FBB8844A04D927E9A0594C7B3B76CB78FEA70D3E6DF3FC84ADF208F79DB13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.542{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000098294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.291{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.275{326FD73D-C079-6294-2B0B-000000005502}20406316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.275{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.275{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.072{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x800000000000000098282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C8A3844AED3DE4416A963FAE4645C5,SHA256=FE113B10130E4159E071F4CF70ABA40C906C6D98E10E29F4343EE4346B3A718D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.042{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:50.322{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D36BD852AA2E70BC7CB5104C83C001,SHA256=C3F22F053A3A6D2F45A35E664D99E94BD3323D5373B5572908BB120213057CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.525{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670E4DAEC17A9B56A385E3158D264EFB,SHA256=53B4B4EE867611BEC9F5DFD4C5E7F4A2B23995EF907F163B1F6B13D48C4BA077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}52366916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000098360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000098354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.682{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4E298B48412F2302A47A1717A76747,SHA256=F83D41BE0E9F9FD8390B829AD83B76786834C65303BA8BE2B23B698869E92ED5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.666{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD156FF2BEB9140D044A260152F4220,SHA256=3D2B1D12479E0AAB5184FEEBA581E2B61A379CE09688EE6FFFDB1C6863CCCA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.666{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFDE6E10DDB25C445D5CC2421ED695B,SHA256=91ADF5844BFA6BB1CCBACF3C76CCB1203DFE40B931AF8242593DBCA071C71F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.244{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.244{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.244{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000098485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x800000000000000098433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000098412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000098407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.042{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:53.760{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267A9D9E82710AF43C352A951C1E7332,SHA256=06ECD2169AC8A60B2636C7A7CBBC9E84A8A6F49700D53583EA3EE4249EC4F947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:54.853{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CE68AAA05274115B0AC1901874AC59,SHA256=21FCB6B0D428911374FF5F1CC6C128DDD052033A5EF511B8DB9C12D5C3B3D316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.969{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53307-false10.0.1.12-8000- 23542300x800000000000000098495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:55.947{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B4B2E540B0AD09937C7C76AE4B02E6,SHA256=9FA5DE90EDBF5362CBEEC3D8BDBAA5E29FE89E40DED987F5006F941B9E73ACE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:57.041{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB050D6EB305D8D78BCCDF3D8321B41,SHA256=758BA7FA3A4F8FA8B252627EA30266065B0431096BA56C899729DD8C8F35B96C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:58.150{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911452481ACBC265F42B3A0F33B59410,SHA256=9F9B88C1297A66212BCD7575BA1C5E3B72BB561A64046E9E40867FAA247C6DAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:59.244{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AECCA98368B6F8A46F21A33700A538,SHA256=ECA5396C71B64CA987C75F29666731FDF216547C19CF11893B13290F083B3F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:00.338{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E3776573736D15267F148AC71499A2,SHA256=BD1268437EE86E9EC819514E8B04DAC3E236462593D6AAE14729AD84C100BB0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:55.999{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53308-false10.0.1.12-8000- 23542300x800000000000000098501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:01.432{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B5C79E4F0667CFF84FA520EB244328,SHA256=7AB886F8E2E90F1DB593289E8583AA05DBD937BA853D66ECB6372F0A39972BC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:02.525{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4503447AF5E92D8B333E000E235EA04,SHA256=7DD38058520C78D315D19BDBEB56AA9C72B234923D2126CF508198D3CAF926EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:03.619{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818460CC2B2B4DD6112CB520D7C27D68,SHA256=B0B761BB0769B4AF51C91C91C0A43A2F3E463EE0F32887F2B043FEE67D41F60C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:04.713{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B7EF3037B895DBC96E9BB6D2326555,SHA256=BE0F8172093113BC8ECABE5F154B786CFD24935A4F05C874C739720E98DEBEFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:05.807{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1520945D70C6047AFC2A878ADBE3250,SHA256=EE34DAC434BA64B1F8A3D1B6AABAE42B6A3E7DE71BBF058886B40406AEA8C123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:06.900{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27696179A1A2544BC62086FCCD6538FE,SHA256=D1F6D136C4C4ED7DBD4CB2BE0DED91F7B3C772F19544A895E8AA613D855B4166,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:02.015{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53309-false10.0.1.12-8000- 23542300x800000000000000098508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:07.994{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A287E5BD7AFE90CEB6B3C18F07B6B638,SHA256=C60F51DED32A015422A0AD4C0753F2C585FDE1D4EC52B0C02FD55B80DDBF5399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:09.088{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A63316876553BDEEAEA436D6DA5CCD,SHA256=3D342F1045FF151AB3A9DB8F31431FEDC3A6A1B620BAA61A6915631A9BBD3C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:10.181{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3E1B2848812D01EBDF677ECFFB6C3,SHA256=FE49153DAC8A2FE681D3228AAD07D6A3AE5ACCBE89BFCDF02F3135C0951B8C28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:07.968{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53310-false10.0.1.12-8000- 23542300x800000000000000098511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:11.275{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75907C31B1EDFBB8CE079D1B21C03F2B,SHA256=B7CA18B531067BE051FC64C099078B9C37B024348BAA0B1B4C836501DD406D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:12.369{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F761E9C99FCB3EECA99A3EF33AB66A4,SHA256=77D7C27F09679AAE44FF6FBFCD982F1190B1AA7A904B142F50AC541703A83085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:13.463{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540329D0E3B7C0B0EED98EAFCC3D9499,SHA256=C4FAF66EE93556EB46309BAC8678BD3E53EE0DB39B6904AA68B2E34E8E04D12F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:14.556{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F47EFE6E93AF2DC1968B4D371ACFD29,SHA256=2F08210459995FBB792CD107F6A3BA3D6A5B73C0B305BEEC8516430C643458BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:15.650{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5188197D9F057913AB6B7835C6099F,SHA256=DBC7A2B15FF34567586417E92FFE510BF6F769E43273B80B49E82BA75350BDCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:16.744{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F833C4F75AEE16DE27703B847C9C93A,SHA256=A141E882EF661C90446AC32A98DFF50683EA258ECEAF30C712BECBE13F7101A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:13.078{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53311-false10.0.1.12-8000- 23542300x800000000000000098519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:17.838{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FCFCECBCA616CE5B87CDC0AD18D184,SHA256=97CFA1D08519310453315189F0E41066D6496A962B679300C86FEA4E87704389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:18.931{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C46E834455A984ADCBF7B0AB6027FB,SHA256=2DFDFD2ED22303222753CF3A2716CBE487AF17A4EE648A29125EFE5CA198A1AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:18.353{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2DDB2F76134BB4CCACA34D03A0FD7B93,SHA256=881F8670E05A51CE1019CB7B36D1BB2CF0565B6AF6ADF723ACFE2C6ADA3ABAEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:19.072{326FD73D-A254-6294-1100-000000005502}104NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=789378AE5D6DBC9DDBDC4E278D612DC3,SHA256=CE99020FED46A779F35AF7E535DD435A6CFB1D68279082587E3BA07728D61CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:20.025{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43FE991F940A320E9470AA57F59EFF4,SHA256=42AB88F9C9E51E4DB70121583AEE665B812F593E00D33AF7664AE1A21B4E7E15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:18.093{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53312-false10.0.1.12-8000- 23542300x800000000000000098524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:21.119{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38096C21D4B961AF90ED79A2FCBFB195,SHA256=875DE63D16F269ED2586B07B21DA908EDEA5F777436C03936C6AF1266084BC70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:22.213{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9232CCA27D099C119FE2A08D60596E,SHA256=04C091959DF545819A0C6BC150A5FA3CE1DBC2CD77DB6D9B60119518D1D4CDFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:23.634{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B815FDBF3105A0143C61AE82F95AAF1E,SHA256=95D93950BC72E3B7DDB3127D4556C8DC830B74A59CF059DD284FB46B71551B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:23.306{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AA65350AC0D3A767C26EF3D52FB305,SHA256=F5C748546E7B7C4ABD6BD639A47F11207D5FA037585656C5DE403E55EA41C7D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:21.530{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53313-false10.0.1.12-8089- 23542300x800000000000000098529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:24.400{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E695B45178C25D7B371B69C2D9E0C03C,SHA256=D64B6B434AEA4B213B390D62E30B8F530118557D9CFC71A5B495398C9F97FA19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:25.494{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEF17A995A8BCC0F096C9E3A0FCE2F4,SHA256=247C119074EF5C4B299DDC68D7BFFA759659694A13A18F82911D9073B4332B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:26.587{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBF729C1A2D123377DA0D7C348A8DB8,SHA256=24844F51732181C683292774DA2EEC6D180F2AC1B7BA63BA61FF682C140180D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:27.681{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0171110ABD3919A492F159E9A91CA1,SHA256=4A66D78D9E631D587615A2A4204B8B2746244B0551FA9DA4323876214F366F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:28.775{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08275C56CE398DBCC62B5948860A40A6,SHA256=844CB72AB46872968D2B4D0D0A9C56D69A5DB12E814F4EC8286F6C009BA9D7F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:24.046{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53314-false10.0.1.12-8000- 23542300x800000000000000098536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:29.869{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290E66ABB2C5BB8442CAC50D4AA13598,SHA256=D33BD1636176F8C4351D545B01D83B34713B1A92D6D4917AF9A9306F7BD34701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:30.962{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB18B942C9E4638BB7A586809359AE,SHA256=1273BCC5AF5CEF9F45ED3CEBA375CAFB4C9A17EE132F5E568929F7069A17B42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:32.056{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD9A8469E3BF06F030A7E353B34ECFA,SHA256=968A9DBBEAF658354C1B9055C68AC3EF9B7D2D88D0BD68BA2EFD1C1AE2E52114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:29.061{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53315-false10.0.1.12-8000- 23542300x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:33.166{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C42BDB6D2A01991F44D9905FFAD3928,SHA256=21AC60E1236BEC9E32FB56E6DE54857BC63D2581A30E6BF1C8C0AD565C782705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:34.259{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAFC3D0C9BBEACA1E28B661254CD032,SHA256=7992C8B9A24D33F640FAC350502FD70A4E2BF7D3BB4269219E861DCFB46428D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:35.353{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89AAE95E279E0DCC1795FEF226D846,SHA256=35ECC73449180F351DAFB8BD798698AD8E4C6B53DFAA77CC8BE14139ADE63B9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:36.447{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA8F3903E5736150B2CE83FFF0E124,SHA256=86C84B1E1C2900EC80208FFF6DF2A9C3750E3DD9C97E6DF168A0964F622F55B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:37.540{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6C361A2738F446D89B876234B87C24,SHA256=D1EF77FFAD4EE1369D6B036BFD8D02FEDF484EB6A401AEAB8093DFF55E70328B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:38.634{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0424E29183B4F3F9B39019653DF09DF,SHA256=3A4F22B46D3C10055EAB968F8CA8D00287816FB9BD979B6C1BE44A4CB87CFA80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:35.030{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53316-false10.0.1.12-8000- 23542300x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:39.728{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8818B7987C882A2FEF57B7915265E76,SHA256=ABB336FB5DDE91FC70A1B0C4240ED14634FC385B77E440D0330DDF5B1E3931CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.822{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E85763F28AEEE220EDD2FBCC8C3FFE,SHA256=0A0BF4785636298DD22E4B97F66BC6D5BEE2903CC932F233B074FD1F4186FEA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:41.904{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43B86B99FCE2048A7E00141D484EFC6,SHA256=7A5D48DAC8386B31C1A56FE6684AA8ED3046C8466DF13C562E21AC4E719D67D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:41.795{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\respondent-20220530105428-125MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:42.996{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671EE2752952116AC24C5F03DD265B17,SHA256=A92F5883586DBB200106272C21F632EE026F6D2F14BD9D0520338DC83FFDD102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:42.795{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\surveyor-20220530105426-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:43.546{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E64B32CD1AF21994C326A309262ACE0,SHA256=D8A49BBFD433C3EE66721C787F21A7AE56725D4E6857F2B02FF3FB8A05BAB4E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.097{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53317-false10.0.1.12-8000- 354300x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.409{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53318-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.409{326FD73D-A262-6294-2300-000000005502}2720C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53318-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 23542300x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:44.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8D221B53513A8759C32EA9313C5F95,SHA256=CC7091CDCA060A33AEE81A3BA03772C3CB82282192CC4A872810414F4BED3D91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.874{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.874{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.874{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.844{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.203{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47851AB1967BBE5387D88E4C6CD2E7C,SHA256=0ED3576C06D5A57E92A993CE7F9A98B394139C1ACE6243C2E2D66F495D0A294B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.876{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.609{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.046{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.046{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.046{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.703{326FD73D-C0B3-6294-310B-000000005502}40166512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.703{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.703{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.547{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.062{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.062{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.062{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:48.859{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EB755BAFF1CAC8AAF894D3F0DC9F78,SHA256=E0B1F8405A7B13332D9779D809EE18DD0F5B5632C7D29D926ED94A4BE69E86F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:48.609{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D1A2FA588820B113B6F585ADCBED47D1,SHA256=3ECA82BAFE47000213E3B79CA266CCD307C065FA33CB831653A3FE4DDB32A4C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:48.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4053AD6E4E3D0F328B3852A55E66E713,SHA256=F4797A01E1FC7597EEF81ED4CD92FC0179664ABB2D2E16A417F042361211A676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}56966972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.704{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.974{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53319-false10.0.1.12-8000- 734700x800000000000000098770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}42201912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.327{326FD73D-A441-6294-EB00-000000005502}4800440C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.327{326FD73D-A441-6294-EB00-000000005502}4800440C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.327{326FD73D-A441-6294-EB00-000000005502}4800440C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000098829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6FA254D2B15CF5E8A68646AE970AA4D,SHA256=6CAF83A4811BA3EB49FD225559519A8F6C532EA172535FE84BCD48A95D5DC4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851328231F8132ABA9E3886311001F20,SHA256=92E5CDB1DEEB8B695C59C5C1690EEF85D1B0732CCFA6476772B84A17E410A8BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A6DE1F0EFA358ED3ED2CD62A6583E7,SHA256=2634E640C573F0B6E0C6BB9C180B5F5F6D844AA9CA50F30730A830157298CE17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.406{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.406{326FD73D-C0B7-6294-340B-000000005502}66086868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.390{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.390{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000098848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000098841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.235{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.999{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E627963FF2D3A8E27D410D93B3DC50,SHA256=7F7F087930259F6D5A2D7B066CE98EF8BDB5CD8B6781160ED8A81450DB94043C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.437{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15F823AD3AB7C3005A132A1CD698598,SHA256=51E7AE881035E311DFBA0DA7FDE88552A010D69383F77626CAEBDEA5416B39A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.218{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.202{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.202{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x800000000000000098919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe