23542300x8000000000000000208687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:36.844{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC81DC972F2CA9129B8BDAE73D8E3D8,SHA256=37634694296BA817B15ACE12EE14BDA504A61B29C3DEB7ABFC86240728350EA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:33.538{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63850-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000271941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:33.538{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63850-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000208689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:37.937{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C85EF14061D16EEAB48447D801D750,SHA256=FF4516135E6CA17642627B555E2AAA6CD39FFDFF6540D242C95F8C2BD8B994DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:37.328{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EF84031841F89033DF0DFF9D1776E62E,SHA256=FD3282472B4ECD0622E8E7492B13A0FAD0D52E5A37CF13B080395FF605409941,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:06:37.473{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967bf-0x747a83f9) 23542300x8000000000000000271943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:37.067{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236B4CC3BB4ABF7E7998D1B12C10C0D4,SHA256=84FD884A3532D1A9F9719A9533503BFA26FCB08BB2B345197F78B0D58B769B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:38.161{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74940EA2E398C475F6AECA8D429EB79C,SHA256=EC140A30990C846C66A88C60D4C3CEE5254CCCDBEF40533BD7A14DC374A6FF6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:37.117{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49821-false10.0.1.12-8000- 23542300x8000000000000000208690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:39.031{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075867D47988D42C9DA1CED0F1EA028E,SHA256=E5787B3A83B309300D009C855105C4C529509CB9B2E6E4E5DAFA49157E15DB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:39.255{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A22FFDFEDED332B3B287C41BE81DDB,SHA256=E3078BE38F15E14E177331F8D90EF1F8A158D7115D7DF5B43739036EA868BBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:40.125{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F3EEA2B13B7A9437B16D9FC17D240A,SHA256=ABFE59F2691A8F9293980B2F909DCE0C51A6BDCFFE6F95F15E7F79B49D9BC5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:40.458{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7FDBFBF21F3CFE35A62574E2C806F,SHA256=0AF360BA31BB516FC123B974E8A0DBA51A039EB3D55FDCAB9CB0DF0019648ED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:37.898{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63851-false10.0.1.12-8000- 23542300x8000000000000000208693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:41.219{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B25C334E72F682F1973D11C97E8B81C,SHA256=B76A981634010724AB25704593761C37B76F2AD0BA55BC9385DAF258AAE6F147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.552{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD44C76C47A10BE2D787BC30ED93D2B6,SHA256=8D4AB9830CE68A7D52177BABBBDCBF9E2B2176B39A4188F7944733FDDFC8C66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:42.312{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F28657E7C749A3771D484CCBB7225AB,SHA256=0775CC5E6910C9F05038DEC2F0EBA18BF65CF3A14A37E807B47047DBDABC9A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.693{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.693{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.693{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.693{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FD6-642D-0100-00000000CB02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97a82|C:\Windows\system32\kerberos.DLL+79da8|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000271967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.646{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E21BCCFC8D1EA1FA42F8505D50C81,SHA256=69EACDC02A9FAC4CFADE5C885C5405805ABEDEBF2F75758024987183C3419765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.600{EDA2768C-6FDA-642D-0B00-00000000CB02}648700C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.584{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:43.625{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FBF725439822E1B0B1EA451DDD5077,SHA256=0D764E209F0E13E81FCB69B8734DDEA7D95808A2BD28334BA20FAC3CBB4D3689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:43.631{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F934469B0D3809DA58411A0AE6E4E8,SHA256=E9C3CB462A3647BC1207237269B67176B08F34287F8CFF842AAAF77ABA8BE891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:44.937{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F956507348BB7A2BA912BDAE28DA48FA,SHA256=ED30C2040A31A33FE7772282A2BDDDF3C6208972D7C2BE32AAF6D5855F5B8ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:44.740{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23208B8AD1A9C81D5D585A0488F6BF14,SHA256=BD17D11CAAD9435173D001E7F5D4574144354A1D303B3D11CA8BCEF3434CE157,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.589{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63854-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local445microsoft-ds 354300x8000000000000000271979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.589{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63854-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local445microsoft-ds 354300x8000000000000000271978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.492{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63853-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000271977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.492{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63853-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000271976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.481{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63852-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000271975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:41.481{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63852-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000271974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:44.131{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=561A33949D5EA0B8E0BFB3941D7228F4,SHA256=721EFC5C04F9A8A4A07E81F7831184B4FDDB699508E988AA3851F1288416F93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:44.131{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AFA997DE73DA5BE59C1E805BB9FB61FF,SHA256=E6C63C081B32D6015F927E60321DFAC111D76F45D4B3045F1473C889A47D861A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:43.116{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49822-false10.0.1.12-8000- 23542300x8000000000000000271983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:45.834{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57891FD1AFE084ABDB561F2E2EC8E6E0,SHA256=CCCAB6C0662D1BDCABA35FE54DCDEC8C4CAAFC07F69BCB70AEE2D83A1E2A16EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:42.898{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63855-false10.0.1.12-8000- 23542300x8000000000000000208698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:46.031{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F28AD883DEB0EA1544AAC3A7F41A501,SHA256=B3C9F5CFB720696A78EE9C86962A7F462D26C70FF071445CDF0768AC6260A1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:46.928{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC87D1674292D333E1B51DCD0B1F646,SHA256=8E22B77D321119262D04482DDCA23F475A26F36A8020AD8A0C4C23880D085C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:47.125{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DEF016C6AB9466A2311A687C8CC230,SHA256=15E232989284466C1BF38865D113E833944526B0C195907FDBCC3ACBF21288BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:48.219{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D7F636DEFFB7260F0065D35CCA120E,SHA256=D8EE43D0D2EBBD91D963B2B53BDD274E582EB4BB8234470AD503E21A01DB8C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:48.022{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D582702D70242EB4A325888010EEC6CD,SHA256=88A1F85F8A32E4DFE56B19A04CC0CB53DD15E86EE49EA649A2F6389615C334DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:49.312{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F156B279CBDD04A4607D3B8CCABEC1F2,SHA256=29DBF9DB5397410B728FD99F7FF55432FE6D1D46E551A54BFE25D5C0C5D0B370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:49.226{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F33DFAE220BC23B782D29A0DA48B2E,SHA256=E0FE4C221384BBC7FB2B1B6B96BA8FDA801478E3FE5F8B566EAD21954F604C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:49.132{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49823-false10.0.1.12-8000- 23542300x8000000000000000208702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:50.406{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0F109F7977152EFBAC30D828FB2EB8,SHA256=38A6BC728D416E7DA5B0B48F968960D6AB31ACB8E247144BD0827C8A10A52B04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:48.116{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63856-false10.0.1.12-8000- 23542300x8000000000000000271987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:50.429{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6471862BD6C27580C9838783E654CE,SHA256=4C164FA6CE16AD80E8160667CD16C06A9A5A4309591DA3B6A17DBBF405E2F3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:51.719{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEA3076D652D924D7AAC877F326F73C,SHA256=5D8F2BD776BE180C6A10B8CF10B828274F164B9D83BC896995B62BC8C2F82B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:51.632{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F723084A84CD6DB05AEF2453285995,SHA256=97679D02D395A079FE925013930DF86575CDFB51FE2357BB6A49549868D85202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:52.422{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1E6C27FA13204EAFC1A9C3A253D9B35D,SHA256=548CDD12FD149CF3F8B4F69DDBB80616C471A162E6F3C350A78E2C29EB204294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:52.726{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE745800FC0CF74EEA80C0F5BFC3DB05,SHA256=AD7F09FF16A7D5D8C06BAD21FDB9B1983D59B9DC20B319FBD6BC6620072DA636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:53.468{8E625C7F-6FD8-642D-1400-00000000CC02}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFa2a4b.TMPMD5=232836B5A5B8C8B73D98BFB6FC1358BF,SHA256=87400BC9CF7134CDE18A3BAA4366BD08714D611BEEE33E676D054771E10AAD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:53.031{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3068C2EB0F491D0D253B5FFBE3B2851,SHA256=38BF6DF8BC9E8506852159DDC7489EA8513A068476C74C83F3EA12263511914B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:53.930{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C16172EE47607971943E4CE60349BDD,SHA256=EBACEFBCDB3ABE2324EB4EFC36382D33EC91265EC60E0BF3630FC5D192F7E14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:54.468{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=37D247E2EB7E44C63B5453C0B2641DDB,SHA256=F6719BC7DF83FFDB1B30217C5240DB009451484D06D51CCAFE6EFEFF278A3EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:54.125{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D261DBAB450E444D518639D1D7596B54,SHA256=00F33048D8D5DC8325227EC986077775BCB34DDE95D03BB890EBAFFA2E25A941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:54.539{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC463427C3FBC4257E4409ACEE20F437,SHA256=4F0DAB0D2066CC6E5B5E7F4AF28A06E905C7162C48225E2773D69ACD94585AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:55.218{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D5BFAFA8FC0D559964085759B07CA4,SHA256=3755184714A0F7BEEC2BB0EE6AC8F0C9E2F3D278E31504744B0EEE74FCF9AED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:55.820{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=688A71DA5BB264B7C1213CB2A7C52292,SHA256=898E6E1D4D65E3651FC2489456AB31FEFDB502EA842067DA8D6923FFA73A8751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:55.023{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B0FCEB11E9F75BE8997E6EEA727FB4,SHA256=21FD1AC30E2C345F5E92FEF5C21F93A7FDA0AE8F4FF03787C7ED1B8A3C935ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:56.312{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BE018BF9822895F4FC00396875A275,SHA256=E7EEA9B6E745FE2030E067E9C618B7DF1C51F13FF631C00054CE2C444EFBE07B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:54.070{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63857-false10.0.1.12-8000- 23542300x8000000000000000271995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:56.117{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1FFCBFCEB19B7B435BDAA3243FF7F5,SHA256=9BD8EAB89EBDB56589ABCE276DAF200BF41055C08AAFB99F6B2FAD4CB137F462,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:55.070{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49824-false10.0.1.12-8000- 23542300x8000000000000000208712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:57.515{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F1438C5B61528E5353C816B6EC506F,SHA256=2AB2E4FC5E380262008A41AD88417A06D245486CB5D6D4C7184982CF6939F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:57.211{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD709F3BEB8498418A1637C0712448D,SHA256=E02087A99F0136CDB789379B04284F85444AFA5CB121470E198B5329770ECD94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:06:58.828{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4323CD7C1D8FE61EF88F058B4D200A9,SHA256=8C26D84B904CCB54601AB3BB93EB15EB8EACCEEC60FB46DAB533F99C91AC7A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:58.305{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEC8BB6C8BF303E299471B82EAC9430,SHA256=C5E344844EBD99C9DA617D1207C966128D1963A5E26CCE750C499F8E2FBD4731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:58.258{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=24E68DCE2A26AE499B451082EEE1A095,SHA256=4609BAE2A2846CB8787884FCD97CAE8941F250DC709FAA3D98E84390CB52BAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:59.290{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E889B2CF93A829DC6AC2BB254B8F98,SHA256=F15B29BD98E1D5DCC687A5DDC2FA76ABF431CC9641A57B3B66B180009CBD185D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:59.134{EDA2768C-6FDD-642D-1600-00000000CB02}1288NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFa344e.TMPMD5=D3784C3152E0BE03D369AAF63BF9B8E2,SHA256=1807F0A299E1C24230919AF04B7DE487E611ACA1BEF51F2A74A2B2C99DF5CE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:00.140{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282D1F852467C38230ED3CFE49F25358,SHA256=2299A8B2029AD0C8EB01D1A03966FC1CD93737B9DEF4E4519018650A399D3158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:00.384{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD0A9AC2D33C7A3CB5477958A8868F4,SHA256=DCA94ECD1B8703B688C113FDD739589076F2459585520A4B76ED1B7A3262D6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:00.149{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF01B95516428DB2326C707D1381D6A8,SHA256=E9B9C17BB0D80CF16C92B67092AF3017E45DB3FE90822E6DBE262EE8B7C849BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:01.234{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0920E797BBC06E5C707708C0B42C86A,SHA256=8DA8219F076B365A04BBACF61BF3FE7988D8B0CF228E5F7ED6D6DC52D15E7472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:01.587{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5B51F6AC4BB872B51DC789844A627A,SHA256=EC7049DD33B50A762D64DC72725039FD0C2D36F048296890ED558D29BB4EBAC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:01.007{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49825-false10.0.1.12-8000- 23542300x8000000000000000208719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:02.328{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A013991B36494236EF6FF08EF2C1E9,SHA256=3B1EFCA28E487EFB8DD4239A3CFBA6D8D7CAA72E7601AFD853089CC616BB6598,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:06:59.960{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63858-false10.0.1.12-8000- 23542300x8000000000000000272005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:02.681{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EC68652373BB5A43BE20D80780CDC2,SHA256=C217B895A3262B7484A470786C541DC8F856ED01A7716D19AB8CC989C79F3BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:02.265{8E625C7F-6FDB-642D-4500-00000000CC02}30001628C:\Windows\system32\wbem\wmiprvse.exe{8E625C7F-6FD8-642D-1400-00000000CC02}972C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\combase.dll+ac0a2|C:\Windows\System32\combase.dll+ac9ce|C:\Windows\System32\combase.dll+ac78f|C:\Windows\System32\combase.dll+2f298|C:\Windows\System32\combase.dll+2eeb0|C:\Windows\System32\combase.dll+3bc84|C:\Windows\System32\combase.dll+c2a64|C:\Windows\System32\combase.dll+38f43|C:\Windows\System32\combase.dll+3a700|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b223|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000208717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:02.015{8E625C7F-6FD8-642D-1600-00000000CC02}12001472C:\Windows\System32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.937{8E625C7F-7239-642D-EA00-00000000CC02}2844NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.htmlMD5=088D918B7A4F757386F583CE14141B85,SHA256=1519FD4947B74598C96C335CC03A9F59519B683D6CF3C02005AF6C90D7199F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.922{8E625C7F-7239-642D-EA00-00000000CC02}2844NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.922{8E625C7F-7239-642D-EA00-00000000CC02}2844NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.609{8E625C7F-7239-642D-EA00-00000000CC02}2844NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xmlMD5=685B0D810B8066B3BF6A3511F21EC3BD,SHA256=9349CB57DF692CA946361D92E4EB8913BBC80B1ADC519CA5A5CEFB88A3FC5BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.531{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C16B74B137F0406F4A6AF371D32AEE6,SHA256=F9A4281DA9AEDA1F869AD1F99B47868530971885403BDBCF43AD364D19E4632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.468{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:03.775{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565EB6F9B0DC211BB9A03056C2515394,SHA256=3ADFAA6BA084CA5D6358F9B8EFCE813EB858EE2389245C2B435D50420232C15F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:03.444{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49826-false10.0.1.12-8089- 23542300x8000000000000000208728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:04.515{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674F0A7769F71F5D6BEDDD95EE9AD9A5,SHA256=FED8082D2A00A52F023B09BFBC50527A6E6BF03F817FB4187F4B295992BB3C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:04.978{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D1279BBADEFB485DE8861EFA17F6D0,SHA256=1602554C169093CBA73E2170E59A3498778EFFE9E897C6356771DA2B5F3DA432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:04.062{8E625C7F-7239-642D-EA00-00000000CC02}2844NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=CA2EEB4A3B16E2D89AF63674E4ED8452,SHA256=488C4AABD982F869C345B7840DFBDBBA9A473F835324DD582F1AFBA2EB027272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.609{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D00B087B12689BA6733897FEF84235,SHA256=0281861627015C3E07224992806E4218FB797A0E0C4FD027A6E92D5A3A594FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7279-642D-F200-00000000CC02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-7279-642D-F200-00000000CC02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.437{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7279-642D-F200-00000000CC02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.438{8E625C7F-7279-642D-F200-00000000CC02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.703{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D566FE2AA957ACE6167D2883357030,SHA256=84F8E634E762D778877322E6F4E56007E023B6C4120B904929A4B1753BAD11F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.625{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=20AE4BF05B12A5EC047BEB805FD3BD46,SHA256=9007240BD18EF54B564338B2B41F8F63A74E77A0752D6A19729335401B7F704E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.531{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625C6199678E3483992FE26497EAFE92,SHA256=4FCBF99522AA275EB7F61AA4299766EE7F76F6C21EABBC5D2D098F7C42788982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.484{8E625C7F-727A-642D-F300-00000000CC02}34562640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-727A-642D-F300-00000000CC02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-727A-642D-F300-00000000CC02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.296{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-727A-642D-F300-00000000CC02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:06.297{8E625C7F-727A-642D-F300-00000000CC02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:06.072{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B13302016919EF63551A813DC7E30,SHA256=9F22023961361870913FBE2E8EBAEBBDF23401BF63C74FFA3FC398BD05BC64BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:05.469{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49827-false192.229.211.108-80http 23542300x8000000000000000208774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.797{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9B81FD6CE55A351230585426055FBB,SHA256=96C434112164BE8238CC5D0381E439E903376305BDB498C143C7751A23E91D3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-727B-642D-F400-00000000CC02}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-727B-642D-F400-00000000CC02}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.031{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-727B-642D-F400-00000000CC02}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.033{8E625C7F-727B-642D-F400-00000000CC02}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:07.166{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A2477A1D5A60DE8D9ABA85706DC98A,SHA256=B1E8C00F9F3B1BCB39169F032E9A9100FB41BCF7368FB5222B8A150EB7DE8D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-727C-642D-F500-00000000CC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-727C-642D-F500-00000000CC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.937{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-727C-642D-F500-00000000CC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.938{8E625C7F-727C-642D-F500-00000000CC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:08.890{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31991D0DC6C451E8ED744685F5081970,SHA256=86786C924E6C87C9EF67EEDC4844B819832CA9D75CE6BA85DC3195DA13D06255,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:08.620{EDA2768C-6FEC-642D-4800-00000000CB02}36563684C:\Windows\system32\wbem\wmiprvse.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\combase.dll+ac0a2|C:\Windows\System32\combase.dll+ac9ce|C:\Windows\System32\combase.dll+ac78f|C:\Windows\System32\combase.dll+2f298|C:\Windows\System32\combase.dll+2eeb0|C:\Windows\System32\combase.dll+3bc84|C:\Windows\System32\combase.dll+c2a64|C:\Windows\System32\combase.dll+38f43|C:\Windows\System32\combase.dll+3a700|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b223|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000272013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:08.354{EDA2768C-6FDC-642D-1400-00000000CB02}10681804C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:08.260{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12193D641A6519C4DFA1A4C7C0FC079,SHA256=906C3C2BB3B8340A20AD14D43652FFA9012F089398CFA69210FC2D0BFBADC3E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:05.588{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62457- 10341000x8000000000000000208804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-727D-642D-F600-00000000CC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-727D-642D-F600-00000000CC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-727D-642D-F600-00000000CC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.902{8E625C7F-727D-642D-F600-00000000CC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000208791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:09.109{8E625C7F-727C-642D-F500-00000000CC02}34763468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000208790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:07.038{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49828-false10.0.1.12-8000- 23542300x8000000000000000272016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:09.463{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E0E5C8EE213D76F0BE1A99FAD9BA53,SHA256=726A792FB488EE2252FE01BC8956CD781E45946C3C0E123A4028B357EF00D3BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:05.960{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63859-false10.0.1.12-8000- 10341000x8000000000000000208821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.739{8E625C7F-727E-642D-F700-00000000CC02}40882784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-727E-642D-F700-00000000CC02}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-727E-642D-F700-00000000CC02}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.582{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-727E-642D-F700-00000000CC02}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.583{8E625C7F-727E-642D-F700-00000000CC02}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.089{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3620F07163633764ABAF3B5A29BAA44A,SHA256=00199CC46FC2C45B3D00A50BAB2065B9472CF956EF35CC565E2D61D472DAFC70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.071{8E625C7F-727D-642D-F600-00000000CC02}33442656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:10.060{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-010MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.807{EDA2768C-7240-642D-F100-00000000CB02}2860NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=885B646B145F89BF52B8EA2CA81C8D8C,SHA256=66E905044A00EE46A83DF0DB8367C3D93C0037D9298537682091D3F236BA1866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.667{EDA2768C-7240-642D-F100-00000000CB02}2860NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.htmlMD5=5890BD7D18E644C7009691B0811BEABC,SHA256=F00C60CCEB049BBB744149C3C85D72C5E827A857BD311F5DA6527E08F287E6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.667{EDA2768C-7240-642D-F100-00000000CB02}2860NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.667{EDA2768C-7240-642D-F100-00000000CB02}2860NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.667{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEF09533F96CF044F07673F6D7800A1,SHA256=942853A408AC1AFFC55395FBAEF3D48AF9A4CB5A9FDCD6752C05816D9D571D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.214{EDA2768C-7240-642D-F100-00000000CB02}2860NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xmlMD5=0D2A31EDD012574EB9A421A04C3B9BF9,SHA256=837B46D831E36CEE816DA7A46FCEDF972500A5536CE9459C683BDC9A441B7793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:10.073{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:11.649{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C460C7CEB77F79BE08E0BEC99E9E0DAF,SHA256=28213E82F7BFDB6CFBD3FD92619BA246C8DE82AB37648E00078392DB20F0E030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:11.081{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2A2CA52D65046A407D57B7F657AD25,SHA256=34B28E1175C4AB870EA7E0E1CBA310327460F90D83F0B2A18109B87EC688CB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:11.068{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-011MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:11.761{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5980C7F3495F9DA8355752141426293D,SHA256=C1CCC0FD71628D8E8C846AE9E0A47E104621EA3ADDED0F1E1D4BDC843CEC6DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.384{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B749197275F7002A7ECF278143618E1,SHA256=96C5E0D32A800AB596FF46708D5A3FBA9C24A8B0C8468A947C8710EC8CD4ABA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7280-642D-F800-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-7280-642D-F800-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7280-642D-F800-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:12.306{8E625C7F-7280-642D-F800-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:12.855{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C5C1C4D4BEAF242FFF3EE35B73B356,SHA256=FB6DF81041B3F0F4ED9D18BF45BF6049B9EC84DF466C73A6DD4037A35C7384F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:08.945{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63860-false10.0.1.12-8089- 23542300x8000000000000000208839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:13.368{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566D72A3EC7B082ADC03A09DDE7B87FF,SHA256=120CD638203F3B1A652978BFD6E7926288CE8F542A217B7DD2084F7C6E20CF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:14.571{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595DF6F547B4E2788E3D733A00149771,SHA256=7CCE3FC3435BDB6ECF88D901C5982246843E793050A817C7188FC460EFE730A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:14.058{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0BB7EADF6544D63067D3B971B8FA31,SHA256=753C14AF449B20C56BB68EB2A1ED18AEEF8860B279841FA8FBBADDAE4A02FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:15.884{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE5F7B824530E97107628C9CBF4E3FE,SHA256=2860AD57649B403BF82CC56F884D1B748FFA97D27A6509A9CF7667FFFBFE4941,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:13.064{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49829-false10.0.1.12-8000- 23542300x8000000000000000272029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:15.261{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A52118C1767C6A918FA91C58555E319,SHA256=5890354094AB1A21F72B3B33F15FC7C3CFA8E44BAE0271A439AD35B986ECDFE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:11.944{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63861-false10.0.1.12-8000- 23542300x8000000000000000272030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:16.355{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63B6FB9973AF7F499555D9599993B58,SHA256=124E4586B998E69415862F46D651CD2B8799149226B05C5E28C7BC812C54EF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:17.087{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8959B953BC3E3BE37187AE40934B3D,SHA256=442F52E6989C0617A422C90EEB48DB8D9A29E790197F7ADEF193656DE87A9ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:17.449{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4872BA3780E834E5285F45F5247684F5,SHA256=965A51724FE49619C1CD016A05E59B2E34D61D5D41DD41CC8398EE858B1F2D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:18.399{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D452B3B99776D14E273E0F9AF7058F16,SHA256=55500C39097B668FA7F3038ED9AD88768E6AA4172C1F5C591CBD6531B00D55A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:18.559{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7589EEFCC0A5E35837EF6335594BCD7,SHA256=30385D7FDBCB61CA07FD2CA49A0655DBC9D08CC54E41EFE6C4FF6169B8C7BEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:19.493{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7391646810EF621B2151DE3CA63B2C2,SHA256=349F709470770003F250F466EC661EF037468BECBDB08F78F31FBC607FDEFAF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:19.762{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392F68C5F905A89E0419F5C57CE1EAE2,SHA256=EB03226F069F5EE2B42A87FFDAA1E322F13A8C8DFB9D04E5B882191CF00AC13E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:18.094{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49830-false10.0.1.12-8000- 23542300x8000000000000000208846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:20.587{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5842E3BBAC7A869693D72A9DD2B356B2,SHA256=B651E920534BF5E1404FB769AB6D36B392A99C6B5C12D957FEB697BEE3C71B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:20.965{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0FD95B46144C558E06C8EE92A2648B,SHA256=173EE4ADFDAD0637F4C78C147769A47B51E13B26344A2E8D30D854DA184E4656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:17.038{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63862-false10.0.1.12-8000- 23542300x8000000000000000208848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:21.899{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA6951304E6AAD73B79456D12D06E2,SHA256=F22F0245093F9AD127305FD22D6BC7856AA61A440CC9BBE288037C1610AFED9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:22.059{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6629D535E9D65D83A794CBFCE1A2A71,SHA256=90D480EBB861202A783A2FB901CB5540128B437279D72302B4A3B33B323E83E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:23.102{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E66EBDAA6BA968C4C8802F0F0762BBF,SHA256=86BFDB53EC2DCA6378A71819D0649FC7B3198213FE20559FF64CB46D5E28E11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:23.153{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6D5FE68CB593619B61AEFAD8B57EEA,SHA256=BC2F3E64B79B9B37D6A2092A1EC52AB74D7BB31D9D97675C48868FD91C8A083F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:23.172{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49831-false10.0.1.12-8000- 23542300x8000000000000000208850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:24.305{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96449E1B76D71C510D9A00B87FBFD5E,SHA256=3EB7A106F32A4376A1605E930866E6D9985F3EAD512541F4C69FE98D891FEF18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-728C-642D-FA00-00000000CB02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-728C-642D-FA00-00000000CB02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.872{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-728C-642D-FA00-00000000CB02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.874{EDA2768C-728C-642D-FA00-00000000CB02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.356{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CFF2FE7157C7D9C03599E29700E9DA,SHA256=95E7227AA2A78079F1015B8FD459145A6DDFFD50C2E7D396AF9D8DB01ED27B16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-728C-642D-F900-00000000CB02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-728C-642D-F900-00000000CB02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.075{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-728C-642D-F900-00000000CB02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.076{EDA2768C-728C-642D-F900-00000000CB02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:25.399{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B5F1448FF1EF450C5299ED68179CFA,SHA256=4060CB11BD37DDCCCD529F40ABFE715868D93185D9069E2C39CB3359EB20355C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-728D-642D-FB00-00000000CB02}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-728D-642D-FB00-00000000CB02}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-728D-642D-FB00-00000000CB02}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.857{EDA2768C-728D-642D-FB00-00000000CB02}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000272070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:07:25.638{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967bf-0x912fd102) 23542300x8000000000000000272069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.450{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623EE736B797BDC615FB2B4EE3C93983,SHA256=5ABD9E64349B32D1B3163EE95FD6FC4B1C1EB3EF671808DA0EF5DD6DC4D3FB3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:22.913{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63863-false10.0.1.12-8000- 23542300x8000000000000000272067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.185{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F6FCB51F6DE008D21061662B5434C36,SHA256=7102AEE2859A66D85665C67567E4DD5D809323E49557C5D859A1C31CD8AFC359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.091{EDA2768C-728C-642D-FA00-00000000CB02}3403720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:25.091{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=221587AE2E77BE5572597D72CF67CD01,SHA256=F691CC6A60210BDFB2ED63C4765FED78417A3329EBE06CEEF3B1049BD87C8DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:26.493{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488305A6E28C344AE48D5B9B6825BAAC,SHA256=A91C31C597B88095B4AD7F1F30BACA60D5D5AAA2B6E2EE29C0BA8B11DDCDBB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:26.654{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F6D9744511D4728A0006EF413C6FF3,SHA256=2CF1838E92E851BB9F8DE2D9BFC33EAE8F91721617B76637620E7EB329526659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:27.587{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB89B4CE6983329E46352DF5B8B5998F,SHA256=7B74C5CD7ACD11E8053BAB7DF862D99DA713096700536C0388CE15116A3E85B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349592A18028F98FB33E04254B82D690,SHA256=48CAEEE305DDF30A4A3014D57850EB9AAB0E7B055079A6DE21EA3D95E8C92ACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-728F-642D-FC00-00000000CB02}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-728F-642D-FC00-00000000CB02}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.857{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-728F-642D-FC00-00000000CB02}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:27.858{EDA2768C-728F-642D-FC00-00000000CB02}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.632{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63864-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:24.632{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63864-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000208855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:28.681{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20CC2B962F99766E337347AB600EA6B,SHA256=15A0FAB0B636BE33EC6D84CBDE22A274BA0C27649EC2EBC9B73CC226185FA6D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.529{EDA2768C-7290-642D-FD00-00000000CB02}37923632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7290-642D-FD00-00000000CB02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-7290-642D-FD00-00000000CB02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.357{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7290-642D-FD00-00000000CB02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.358{EDA2768C-7290-642D-FD00-00000000CB02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.076{EDA2768C-728F-642D-FC00-00000000CB02}26843880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:29.884{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F6E68D622E726B7880991A22E4D9E7,SHA256=4DFFC613463385FEBBCFD7E1646D934923B6AC8095F0F58844DD35A94DE3B62F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.251{EDA2768C-7291-642D-FE00-00000000CB02}38363584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.198{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-010MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.148{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8972FCE21C05B633ED0622BDCB32EFCF,SHA256=6E0FEA47BD6FFD6E89210989C420C00B00D493CC51C644209AB85C023B763F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7291-642D-FE00-00000000CB02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7291-642D-FE00-00000000CB02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7291-642D-FE00-00000000CB02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:29.055{EDA2768C-7291-642D-FE00-00000000CB02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:30.977{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75317D53C9053020EE294647DE6BA070,SHA256=DFB4CA106E3BF85F414E19A16AF258FF99CCCE7F62B1EE42C98ACB89E710285D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:28.001{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63865-false10.0.1.12-8000- 23542300x8000000000000000272133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:30.206{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-011MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:30.157{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760CEC0C39772ECEBBD54D2D59065EA3,SHA256=4D7F0D6E9E598DCB886CBDB0DFB05D04B3DFB0582CFE2005EE0E3C3AD85159FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:29.094{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49832-false10.0.1.12-8000- 23542300x8000000000000000272148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.247{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A5584A1EB54887F4BCC2B9C8559353,SHA256=47B459D1A6E0C14707019D4397EF41434E0D7D9DDB11500BC786F015C412738E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7293-642D-FF00-00000000CB02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-7293-642D-FF00-00000000CB02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.044{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7293-642D-FF00-00000000CB02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:31.045{EDA2768C-7293-642D-FF00-00000000CB02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:32.181{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAF4C64062B0BF6A5073921B373D6D3,SHA256=B42254786D2639CC1B736436C6E3AC9C4AC24D77C4909EF80D1042C3FDF327F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:32.701{EDA2768C-6FDC-642D-0D00-00000000CB02}9161080C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:32.357{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DD2BFEC06376FFC7F8E300C495D7D7,SHA256=69D9A66AAAC6560282919B844290E078161100F16F9EDE8D55D769366F95B482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:32.185{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C024FE0D3CF20BD35CAAD8B81F5FC1,SHA256=2D49BC017F98897B8CC1AD59040BBC0F8118DC9560971D478B5681A5793E4121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:33.493{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0F0A339D83ACAED19213DE98E77722,SHA256=B8193E2173D77F4E54AFBA350E883B51912ADEB4CF1ADB0920BE99AC1F4325C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:33.451{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C797A00C056D523108D6E47F987064,SHA256=77F170958316D1E35752E558001FA2511F4C6658CB6A8AFC7D07C1335EBFAE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:34.587{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11074867594B86FB7F76204714672C08,SHA256=4D2E45DB3C10439E83DD7898E5DA9E264C4A03E1069F558E3A8315E86AB72D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:34.654{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123E7F0C129E7A2FCB70DF9BFB03A0A6,SHA256=EE0828ACA94EC16EDFFEAD97A11F91421F65AA7503C01D4327550EE5A499F83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:34.219{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49833-false10.0.1.12-8000- 23542300x8000000000000000208862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:35.680{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C58E00F758FF7DFD0218C8465AE2EB,SHA256=22CFF28062A47736A3BABB87EF5D2058A884E1A58FC7CA77EE5010535A52651E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:35.748{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E0A812A7C3BA3AF7856F6C01751856,SHA256=7299255406A309781A84F21BE2A98FB7737C5FB00D21B41491245E808B89295E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:36.993{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7732BD4991CABFE1736D8473020DF0C8,SHA256=6690474FA804E67FBEC5F24B5AC82C83EF9F213D8766B2C0A5F0AC60D4E11A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:36.852{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A41DA9A4322D94A485C428210E6C64C5,SHA256=A0D59FD96F78D100F65744610DF7299C65AAF97D4935E0338956EE2B232AA005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:36.842{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D65ED79CF3D83EF2F319380D044488,SHA256=1DA9C3D188AF4340AAD52437D7055FF166CEA49C635113AE427A3B73E1466626,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:33.928{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63866-false10.0.1.12-8000- 23542300x8000000000000000272157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:37.936{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE68E83504418307A56281115E7543,SHA256=2DF94CDBE8172E643E5C5E6CE56D7409C3770B012B16A56B5764BD2EA439EA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:38.087{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674F6F7D08BE8D0B72B4D0D3B8EB94DC,SHA256=94650F7CB1BBF0D462D93C9CBEFCD5B1915FE5F68CA5810C0569929A1840C4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:39.399{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0459F7446AA619C7A985073AF8A1783E,SHA256=39D6872D2CC21D7A03EB8EFC0DBF0DF6CABAA85565A0952F81DEF6B385CE64C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:39.030{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA222CE51FB780F5E0F2AFB5D50A0671,SHA256=EA664A8A050E3F3A8B885B885F4D16A90E5BB6FDA80FD706ED0ABBCCE232FB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:40.712{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4EB66FEC170D2E014A60AFECADC82C,SHA256=A76D969BB42CCE2D5678D4FD4453BFCDF84D6CBDEF858F2833B0A5F251B5946F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:40.124{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECAF5DD42098BA2598EDF834A746B61,SHA256=00B41B3BAC81098B6F9EC82D463F412614642C3F5DC6A792F4C8495A74A6E347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:41.805{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA5CB4BC5327B793D3FD5A8908BF9F6,SHA256=C072F61ABC8A964BB53F0608FD16BE8D2B5097B81695238E850E9AA9AC9D3523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:41.217{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF074093E12F91E3813A57624650707,SHA256=5296D631852A27D19A055E96F7A8ADBE31D25E23CAB1F947DEED85C0B8F4AF12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:40.188{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49834-false10.0.1.12-8000- 354300x8000000000000000272162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:39.959{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63867-false10.0.1.12-8000- 23542300x8000000000000000272161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:42.312{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D69448DAC2C90CE143FAE4994D667AB,SHA256=A1B43FFE195AF942651E9E9ADBA66990A392FC1FCDE80AF1F94706490BFDC9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:43.118{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1379ED314A73703F01217FD57D020B0,SHA256=2BED88336E9916F48110612345EC700A1D3617CBC77B8DC65E55A1A6E4A0770C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:43.405{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D1996994B9B7D7A928D5DB2258B71D,SHA256=EDC1149EC11A3A550D2925C769A5320482DE3B00AD4AFE2F06209621FA1713EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:44.321{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E512C73E9C40B74D6AC714A9B19108F,SHA256=50225146F9D6F15E11ADC60527A3AB5DAF1991CBF15ECA074470D73990EE8EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:44.718{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1571EFC71AAED9E71BD657DBFB049645,SHA256=6F554BD2A86174F45D2C704E4207772A9342E0A1AAABF3341D0A75374A7F8C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:45.415{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8679575458D1D7C55780F8AD0619E992,SHA256=D7725FB9295565AB0357E609288590FE4AFECB8E302EA34651618AD65F043C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:45.812{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87A4BFA60C9F512AF67E25C576A04B1,SHA256=FA130607D62498288FE54BF7F573F8159E3A0A800D58F3AE0CB0228358E99BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:46.727{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7486860560A7D5A445082ABCE83045AB,SHA256=01696BE957D235EE22741D590A7AF1987DC246694F0CA809B272EBB20CD70AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:46.906{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0CF4AB1015514986868559970D78EA,SHA256=23CB30A0BEC4203ADAADBF0F5BEB9C5199E00644BF021201417D51C3B51E5233,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:46.047{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49835-false10.0.1.12-8000- 23542300x8000000000000000208875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:47.930{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9A062BE13CD5FA66A0BFBFFBC95A55,SHA256=E7335E92B03575BAE2161CEC88A1F88ED559BBE5C48F71129564EE4A53A05F15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:45.131{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63868-false10.0.1.12-8000- 23542300x8000000000000000272168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:48.000{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16873BAFA3553D91D6908C321803EB7E,SHA256=D68E7E4E92229AC8BE657FB0892F2F8FA0F70578357C6B50F1B1396CC76CA2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:49.024{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA31CE8BDD7A3310E7A2C780CC3B2813,SHA256=AF2105481C9C21B6955F449FE18E9802A1CAE1E8BFB19A2E49811F0F140D8386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:49.094{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D781079C3D77F9A476FC9E42D0EFD8E,SHA256=B2D7EA25326462D305E36488721229CFB8760B063839119B63842B62626ED5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:50.118{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26424A0CBD73CDD5B65C2500EAC622DD,SHA256=4B2AB236022182886A60EA0F0164F4B18F2D78F7BCFD8C40F92CB0F337ECB2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:50.188{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E329EEBF133AAF669D6B01DACA327B4D,SHA256=424E020F58D927F1207AD43E5C4E7E433C02FFACB482443181CCCF4E44190736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:51.430{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B419EE811C93E2259AA75B3677F059,SHA256=6E221D5C6AC6FDFA601EB4CF1A4745EF0C12B1CFD1026041AFB500F3CA1BFE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:51.281{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3059DBAC15043EE22892E8DE944038B,SHA256=3AFCCD9992C76A315C175F011E51C803D82BA9B83ED60CBF34C708F75D833FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:52.524{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875BADA2E69067AA7473909F8063B6BA,SHA256=00723B992C2CF9C7382594710875B59376FDF51CFE54EB76B9AC8E5CE3FE334D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:52.430{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F385CA4D73000B28DAA413B4ABF09BD3,SHA256=0012AC183AD9F97FB524F1F0E476971D1843EAFB6BDAE34B269F5553A71F1BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:52.375{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23860A730C91EF95E5602FB1028B9DE6,SHA256=5748F93F8A4652FDFE96E94D8BBC9987941D58ED9FCA232F182CFD9254B5895B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:53.727{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8309B23A2B1EC9D546C577B93D88AE1,SHA256=E2073EDCE750DCE4D69F79F627CBB61F600CC50A41DE9A23C295F3AC945EFA04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:51.188{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49836-false10.0.1.12-8000- 354300x8000000000000000272174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:50.943{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63869-false10.0.1.12-8000- 23542300x8000000000000000272173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:53.469{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D5DA74A5D65C9295DF081025725FF4,SHA256=53AEDA0AD315F412CDCA4578B37436DE2918DC3C394CA9CA43C7FBC53510AE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:54.821{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FDEB20E656C9A972C7C19291705C32,SHA256=5E984D97590122A3C315A69B030489F6EE5B8B89260E6D5CAC356C48B58648A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:54.563{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C417D27FE60D47E9802A5B427C2CE13B,SHA256=AEC5308F0CB01E3BD4BEE1C7D62131CB38A99505353C2D745AC6ECA707D18B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:55.657{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3423F63098ECEA0FD6E4BAF47EF0D65,SHA256=5F945766C36B61280FB23EC9E2B66EEFCC15991978EF672787D1CE5D0A55BAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:55.329{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9FB41F48E52B4BD1BC822121DF997C32,SHA256=6DEA0BB3D9E04DA44C09D4061593C8817E04C4A6303A1FA3EF010C6754666771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:56.133{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6869CE49505B1FC6AB790AAE5A8E89B6,SHA256=490ABE9B40D5F36DFC7B4F77BB673F443C8F80C0236EAC50E48B8931E68306D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:56.133{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9CE9C17FF09A4E9F5E313AEC63FA1E61,SHA256=8912B18CBCB42888251C25F74FD182992227F6E69BE7A40EDB8C10FE90640B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:56.751{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367599A893F9B5ACB7F30AEC7B6097E0,SHA256=61CB616207522CE035BC793A77A7E626F93B69B759C8D830F4460C67B906D6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:57.337{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFED60C7DD10A749AC9E7EF046591191,SHA256=925D9374B5891F63049DBD73090A3D3C8AEE8664088CF18B7A48EE6B486D4A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:57.845{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9D03BFFDBA42D3188C2F6B7B49DEA2,SHA256=CE1005565DD42F0DBF7BC151BD77E33149D7D3258AB2BDBC5BBBFD12B9A93EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:58.430{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC713E84FD4B954340803990296A0FCB,SHA256=FCB09BC90326B5F18A3C852F935BDB6F6414E7FFA17BDC93A488083B3023C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:58.939{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5051ECEB9C335916433D7E562F84ED,SHA256=5D5E2C0AF1D834976110656D25725C973A03EDEA72CB3C625D8ECB979D010220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:58.282{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C18CAD518C8A6490872FE1F4B04ACB4A,SHA256=80337E48520050EA747FC24EAC50BC8D8EB1D43F2725234352C645AB3B0105BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:59.743{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068AF4C4D55AB399D8D807AA56EFC8ED,SHA256=4F5BD342052AEA782C8718076973AC0E089A72ACE2FBE91FE977D21048D4415B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:07:57.094{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49837-false10.0.1.12-8000- 354300x8000000000000000272182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:07:56.115{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63870-false10.0.1.12-8000- 23542300x8000000000000000208891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:00.836{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD11E7009C0A3E98BF54959596E3CE6E,SHA256=FC64A8591A8C74F0812A849DACC499F5A1BA0F1751BC078ABF952F2C51E8D1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:00.142{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E171A61CF0D83DC300C44867C8B87C,SHA256=0F6B5995914F987031F8679D46597015BA786626589B0E15FA5FBAAF572CB773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:01.930{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DCA30D1FD6ACF77BDA29C38E60D1D3,SHA256=E50AF04B9CE9E09178F4391F5FC4E153345049F07C14013C6E05727AC13698D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:01.236{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50348BF08638E44EF77DBF922C2514ED,SHA256=0CE41B04D67253B39948D4DA0967895F3266077D735E8991C82027D52DB5732E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:02.689{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=196FFA35D182FDD027042A610B914CF0,SHA256=74A86BC1BA3D1BFD14CBC82064DD23097034A3DF632763802D81A2FE6AE170C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:02.330{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C363CC9F18BBDF11C10DF107025E65A8,SHA256=36141CA8C54003329E0A3FD2F558F0D667042CFFE78AB4CA16F1500E13ECB9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:03.493{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:03.024{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B798A0F43F153E80AD33E833ADA3490,SHA256=E70067D64D60FC2277D3E9E00E70E3A89F29F6CEF29BCAA7B060A647CAD9DD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:03.424{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0016448F6ECFD5E0814E48D0BBE6E04,SHA256=FEDBC7C65C1BA9838A4BCED3C74A5061E1950E667CD3E971A26720B3B4250E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:04.118{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B571EB2C1DDEE367C28EEFDE6DF32ECE,SHA256=AA5D509CCF453637831E2217C2EC82793ED0E212809BB433179C7804BE444F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:04.518{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDDCE9DC22228DDA632FCE19D2C22A8,SHA256=1964CB8A30F8223E8D6E11494913E28B4A17A495BBFDA87B5C2D5E560A4AED0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:03.469{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49839-false10.0.1.12-8089- 354300x8000000000000000208910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:03.062{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49838-false10.0.1.12-8000- 10341000x8000000000000000208909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72B5-642D-F900-00000000CC02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-72B5-642D-F900-00000000CC02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.305{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72B5-642D-F900-00000000CC02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.306{8E625C7F-72B5-642D-F900-00000000CC02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:05.211{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818D344095E2E0C52770EC09E939C515,SHA256=919D5A96E262C2E97535CEB4441C43B43EC998AA950AFCA383A7C76D919E7304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:05.831{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F17E574D63BC941CBDB1CF1D37BA57,SHA256=3C99DF5C6101BC2B207809EF2A3436169739A5F41A54FE9FB7C99CC071947CCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:02.006{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63871-false10.0.1.12-8000- 10341000x8000000000000000208940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72B6-642D-FB00-00000000CC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-72B6-642D-FB00-00000000CC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.977{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72B6-642D-FB00-00000000CC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.978{8E625C7F-72B6-642D-FB00-00000000CC02}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000208927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.477{8E625C7F-72B6-642D-FA00-00000000CC02}34363636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000208926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.352{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD75C97B53BC3F476192ADC3E0766DB8,SHA256=D401C0740C29F6A518D50790ACF4D6478372BEC2E71D154F1FE8C786BBDFB561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.305{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E309A05B96791BA5752241374B05A43E,SHA256=8068A0B87F04BA86E68883085C654D6B4774A2F2A9C415017B13E85CAEDFA4E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72B6-642D-FA00-00000000CC02}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-72B6-642D-FA00-00000000CC02}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72B6-642D-FA00-00000000CC02}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:06.290{8E625C7F-72B6-642D-FA00-00000000CC02}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:06.924{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA2B0D3EB5BDD30CAE6D2F5BF123B22,SHA256=0580E92D4782C62591C630AD7610AA48D37A66E2B111E9E88608B73C4B4591DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:07.586{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAE94F028987415F9620291A1E6631E,SHA256=66FFB3C5D6FB25A84373032BE7E9EB98F9B240D4860246BBDF7CC9489256D067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:07.071{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F79C369355B276B866739F3BC46DAFCE,SHA256=B25070B44E9F618E3B9A3399402BAB63505E8B588E8A93AEECE05AD494AF1C52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72B8-642D-FC00-00000000CC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-72B8-642D-FC00-00000000CC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.868{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72B8-642D-FC00-00000000CC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.869{8E625C7F-72B8-642D-FC00-00000000CC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000208943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:08.836{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BA4C595198FC20F61C5A461E1BFE2C,SHA256=0AF506579457DD67C7FC0C4C320747EE882673BA76E3DB5F7F11F3AD39C4E920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:08.237{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D89FA8E5ED64E7E11AB7378B296EF56,SHA256=F34719740568923FC100F01B3E50FBA061DE0363C24DFAF1865F8258CC5155B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.930{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA476333252A1ACE364F6BDFB274F9F,SHA256=273E0B3F0DCD49DAE4E1B5135EDC0D8F93FA736ECC2DAE3A27760BE9477CA816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72B9-642D-FD00-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-72B9-642D-FD00-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72B9-642D-FD00-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.915{8E625C7F-72B9-642D-FD00-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000208957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.071{8E625C7F-72B8-642D-FC00-00000000CC02}36723676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:09.456{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C29A150E43047F6D6F65F45A7B245DD,SHA256=FA992031351D922F1D285A3293AE08D5F7992C0DACAE03239C51C161B8F0F701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000208986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.758{8E625C7F-72BA-642D-FE00-00000000CC02}39562308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72BA-642D-FE00-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-72BA-642D-FE00-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.586{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72BA-642D-FE00-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.587{8E625C7F-72BA-642D-FE00-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000208972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:10.086{8E625C7F-72B9-642D-FD00-00000000CC02}36683332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:10.659{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5F50A74F31FC73DC83F011E0D67F02,SHA256=12DE19F170E6B868537D6B452364677B6AC025FBFD535C69761E19ED08251E3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:07.927{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63872-false10.0.1.12-8000- 23542300x8000000000000000272194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:10.112{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:11.699{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC4F3173F799C8E1B83A86C94ADF0ADA,SHA256=BB3EEC425C31AFF0B1985D813FDAE532521AD2AD5CE1C62BC9C8756BA61CB7A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000208989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:09.016{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49840-false10.0.1.12-8000- 23542300x8000000000000000208988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:11.583{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-011MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000208987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:11.143{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13170DC995D9629E5D31A424B7D47B8,SHA256=AE534606C8127CE427163CD8236AE453C646058CD7EC855C9B04B709FBFF7DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:11.753{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D8B58660FB0B8F232582B7670515F4,SHA256=290EBC2AA71D3B5A9ADD536962BEF88C800FCD97D728A98B7966FAA824D86694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.590{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-012MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.449{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A022DA2348A584C7498D9C33010CE1C,SHA256=C6248EE5CDA686254528A2B8FD44371DA230F3E26827794BF7DF0A491EF27AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:12.956{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B01E11E6BBAE7584C0770D7224E13FF,SHA256=E48D17636D7B28DE7413899E8676B354AFD7DA1E8A4EC03EA742543AD419463C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72BC-642D-FF00-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-72BC-642D-FF00-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000208992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72BC-642D-FF00-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000208991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:12.324{8E625C7F-72BC-642D-FF00-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:08.974{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63873-false10.0.1.12-8089- 23542300x8000000000000000209006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:13.529{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CBAD1BC34221EE7CF7412AB51760BE,SHA256=09546CEFA48CD33F5483172488B563669DC06325EB59D0697D3924906FD16560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:14.873{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7988F4474598423F41480BAE228E72A,SHA256=B512FA8AF790638E9C4E785B9535250BAE274FEBEE367B55D2F99EB1F7CC5160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:14.050{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B85E5407031586AFCD458D4FCB70E4,SHA256=1654E4370FC5DEF824DE2D1DF30E99738DD353D928663060EC2E7D457AACFEF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:14.161{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49841-false10.0.1.12-8000- 354300x8000000000000000272202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:13.115{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63874-false10.0.1.12-8000- 23542300x8000000000000000272201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:15.144{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805A8F66D53E11B5C30FCA99BF4921B2,SHA256=C20AFD171149EC1DEC888D4339DA6176DBC9CC09C275D622570FFC838C4DDBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:16.185{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE97F7C1F8A7FB44BC989F4737C04DB,SHA256=25C1796DC4F8FC0651B2E69886AD0771A0B667934ED27E2FE09573EBA4EB953E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:16.238{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5B03A35A02A51CF4AE17E8CF9A6B39,SHA256=408D81DDF2E3A544540A35D7B0A2ADCD3C85CCF000E9C8997DF8124E055F0AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:17.279{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0073F30FEC5DE96EDD757DF9C0576FFD,SHA256=1FBE1CED0A884E12B1A476E5C84D96C8B97DFE85922706F7E21902E2FDE9AEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:17.332{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5668BA756E8A34738125F2910B4433D8,SHA256=6DA43A9E8D7614AAC5A3432B0AB0A406F49CE68272F530894E1F701AFC73C2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:18.592{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D51C9AA3A4D23532DB760FB3F946661,SHA256=DB0BEEC55E4C8DF4FC7173A9F96CF3F8CCF298EFBD4AD8692D1718F7C1424356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:18.426{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80ED9058439D79F2B4A395E90AB4437,SHA256=7E2DD22CB75E3C5C0068158576EECC06A85EC7C25B7BE175FAD7794721FE91D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:19.685{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62EC56BBADB5E24095378041BAB43F1,SHA256=2BB6B26916DB6FEEE7EB811BD8160A3606C55E116603E203E9801B06169C5535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:19.738{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D5983D0032B70CA3C217C50736CF53,SHA256=DA5B8BC98ACB7959896E357FFE0696F79D6F122481B31071286FBC5B202E37B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:20.832{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B68332665C7E199407DFC1DC0284504,SHA256=CF731627C2C0673A6B9FA4169FD5152C7D9578D554C2CF9B2A184F611830C4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:20.998{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B01FB055A7719D562E5DBF1BDD1DEC,SHA256=79C18A20279F2EB2395F7A1E5A4CECDEF31934416319F0345082B68B47435874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:21.926{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425F30DD3A872297996137F5A4EE0F5E,SHA256=4D757BE7E8B5F293E529EF9FBE47639E113B1661563C615365127E5BCE54E294,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:19.037{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63875-false10.0.1.12-8000- 23542300x8000000000000000209014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:22.092{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E33C842C4CDE4540050E573967D6BB,SHA256=F9966C283D7A555630F477AE22C73C2757967DACCE727FAB732C685FD4E9CF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:23.295{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019631C689315B0A4F801BF1E34D2EFC,SHA256=75EA1D4E124AE434B638F8734138FB62B8290BD6893419425F582EDBA2222AD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:20.084{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49842-false10.0.1.12-8000- 23542300x8000000000000000272210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:23.020{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85240AB033B3214685FE8893F29FFFC5,SHA256=7DE75A15AEF4987FC8AD39C29A66547DAA180C8A25F51CF72A0EB5A4459888C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:24.388{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14088FE35D477CF34FAA12839F7ED4D0,SHA256=B86848117E668EF64648D61AE573AF88072666C270195622E87962DBEC4C004D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72C8-642D-0101-00000000CB02}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-72C8-642D-0101-00000000CB02}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72C8-642D-0101-00000000CB02}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.880{EDA2768C-72C8-642D-0101-00000000CB02}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.114{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708FC4F4A0792E4CE08F11B8B1AA3DDB,SHA256=C1A5A76FC594EA63790C6E9B8CFE1886B4D765452113588D6D92165EE024E419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72C8-642D-0001-00000000CB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-72C8-642D-0001-00000000CB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.098{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72C8-642D-0001-00000000CB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.099{EDA2768C-72C8-642D-0001-00000000CB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:25.482{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E81BB0ED434C78C540799245CC9E48F,SHA256=779A71BA3614055038EB8C83278757F4687ADB2ECC8FA26EAFA7A57EE3F843EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72C9-642D-0201-00000000CB02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-72C9-642D-0201-00000000CB02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.864{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72C9-642D-0201-00000000CB02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.865{EDA2768C-72C9-642D-0201-00000000CB02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.614{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8F38AF400965F6A2B528A2DF552FC9,SHA256=F816354EE0091302DF09A6F7BDFFC69284CEBEC77608D9DAA52160BEA4F88E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.614{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11533C0E11E79C3AF66A7FD6573F3A4C,SHA256=337C18A73CB516052F60868DDA008DED3AEAA1C44095EE468FECF1BEC1DA8B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.567{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=66CA4A23ED8CB738476FA97A75000E10,SHA256=046D30665051E524AE1BD90DF1838D17F2787EE7AC45B6CCC8877E298B7C18A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:25.083{EDA2768C-72C8-642D-0101-00000000CB02}38042988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:26.576{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E834EC0A27571E4B5F7E4ECF9552AF85,SHA256=7644A81400847F231B120D775731F644E262BBCC0EB61182BEB04B4696FC69CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:26.864{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99B5C9309E57859E38963C773BEAD57,SHA256=3EC241EF1D705AEC1B5B4F5526C0A228EACF292CA273E0F6FD4FE8B5148B405F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:27.670{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A785BDBD91BF0A6056E5E05A93E49FF9,SHA256=4D78B4149C5C780A288C1616D48771ADB508878D53849DB5C26DAC3B93E5295D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:25.146{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49843-false10.0.1.12-8000- 354300x8000000000000000272270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.647{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63876-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.647{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63876-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 10341000x8000000000000000272268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72CB-642D-0301-00000000CB02}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-72CB-642D-0301-00000000CB02}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.864{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72CB-642D-0301-00000000CB02}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:27.865{EDA2768C-72CB-642D-0301-00000000CB02}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:28.763{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B270B3A17F143EAE293A98F54FB06289,SHA256=F82F08761050F27685BF024F136A8E5B480D3CDB95BF9DB7381D2A8657C74C73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:24.943{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63877-false10.0.1.12-8000- 10341000x8000000000000000272286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.568{EDA2768C-72CC-642D-0401-00000000CB02}4441196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72CC-642D-0401-00000000CB02}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-72CC-642D-0401-00000000CB02}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.396{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72CC-642D-0401-00000000CB02}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.397{EDA2768C-72CC-642D-0401-00000000CB02}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.114{EDA2768C-72CB-642D-0301-00000000CB02}10882640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:28.068{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3C5E7FDA4D65DFEF096D1D654C81DD,SHA256=2694A4784B7D75E45EF1F80F2DDCCB2774396561F9150526FBC5E3060B98D307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:29.966{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD729FDB0234FA90ABB4F06585C0DB9D,SHA256=65857CA51EE2D2FB52C95B75DCB3AFA2B360590C3A5B739581E17716DAFD979A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:08:29.490{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967bf-0xb73edc08) 23542300x8000000000000000272302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.318{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AEC9D36604585520D6CB2DD19BEAEF,SHA256=C4CFC1D0A1605F7D40FC85E68C99FF7C4F47EDF553187594147618FE50527D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.208{EDA2768C-72CD-642D-0501-00000000CB02}18803488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72CD-642D-0501-00000000CB02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-72CD-642D-0501-00000000CB02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.021{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72CD-642D-0501-00000000CB02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:29.022{EDA2768C-72CD-642D-0501-00000000CB02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:30.736{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-011MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:30.374{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E3D7279B143BD3C6EF8DF9D9903D48,SHA256=B638B14E916E86873C0ACD2CB2D47B8127ED6F00F7DA2DD6A1C1F9D8D4451D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:31.060{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB4A0F1F7679A696569A2EDEC47796F,SHA256=CFE6CFE4722C07CF897F2E506FD49F5F2C2145D36BD5FBE43814EEA9A34B039B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.743{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-012MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.461{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E42C56298169C5F35A5B43EF0BA912,SHA256=64987A95B439FC65705E40B12BE58B9A8A6A799287781674F604C76EB76EF5E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-72CF-642D-0601-00000000CB02}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-72CF-642D-0601-00000000CB02}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.070{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-72CF-642D-0601-00000000CB02}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:31.071{EDA2768C-72CF-642D-0601-00000000CB02}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000209026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:30.240{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49844-false10.0.1.12-8000- 23542300x8000000000000000209025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:32.154{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6A00CEAF359D7F706B4ACF938B1541,SHA256=2D3483D9C147912AE778C4063DFEC420B0E57124D751C426C8C45E0DE6DF79B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:30.070{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63878-false10.0.1.12-8000- 23542300x8000000000000000272322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:32.541{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1557C1ABAF2E053F1B4D52B4CA3EC2,SHA256=5CA7A8B1DBABC485DCDABC13CC28523C0A4C22B5E04A4FC290C81076E0A82268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:32.123{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0ABE5B03FDB957B015C5E0842FF6060,SHA256=F35DB16EC438F8362476AC1F5CD92C2F4B7E64E81CBB0779F7F314EF4E6DEB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:33.248{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977EC022A2C5A342EC953804F82D8C66,SHA256=C1FAB3556EC02AB795BE30A1DD9FB4E7AD5AA3C475AFAFBD6E78BD0E087069CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:33.635{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327EE15B8AB6766212B25579E252F01F,SHA256=A5DA58226D25E4AEE648EEC15F9BBF0B27EFC09B623DB8BCAEA2290F366097B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:34.451{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FB19767C972C93302C4E05DEFE1919,SHA256=9F5E461B4D1651DFE9EA38CD1369EB40186300494A976D17CE032ADAB96C6238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:34.729{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80473B1A0E670017742ED23D84AFBF3A,SHA256=BE989A0B98FF757EAC49E93DF795F37AF81F07F3B3D3C27D4BD42C9DDD458527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:35.544{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1159A28A83974B3F18939BAA4CA22F9C,SHA256=AACD17A6EA723F6C1473516104BD7D79494D896047897B7FEE38AA9090BA4D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:35.822{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072E88E665E4EC6B1B58714FCBF20C3A,SHA256=765E72FF01C554A60D38479DD258A81A5B85927A0C2E2F32AFFD85B0F4A816DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:36.857{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30EB8EBAD5FDAECD5FE57697B706CE1,SHA256=742EB8BB5AA7F38BBB8EB716738AA45D1754DBF76A4866FF0331E850DB8A152C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:36.916{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEA86C3BD115811226524FDA452339,SHA256=D05F9E1609FED0FB0F2DD1654F49DA69E0F8CECF3E2DEC44C279A42D0ED156F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:37.951{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E468637F92DDEDE12A3E9C90C35B3D73,SHA256=384B2CACE4B793DC54E527D8CC19E547ACA49DA86DCAB206AACA1C09873C4CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:37.279{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F62B3D4C7F01B25E41163556FDFBC8F3,SHA256=5DE4234BE7329D743805F7D71C0FADF7E8764C2D16795E958D06156BA2CA07E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:36.161{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49845-false10.0.1.12-8000- 23542300x8000000000000000272328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:38.010{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6703FDAD289DD92F95EEFD8DB4C754F9,SHA256=6F619350F03F6135DE283CEF09F0E04FA0F2157616B0A6D62CC15CF140946C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:39.045{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0117E1D928682010F2D0B1778BBD27E,SHA256=4E255695390979C60450847CA0FDE34DAADDE9D566768178E45ECA776C638A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:35.963{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63879-false10.0.1.12-8000- 23542300x8000000000000000272329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:39.104{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DB235BD73C1A6CBB22F72269127685,SHA256=B00BAA34775B15458BF6582305257F67C6D3257CF10ADEE4D5E5C02ACECE0B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:40.357{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09B435A334319B17383C6F01DF802C1,SHA256=FBFF1F358B94140292074E9D553D10C61CBB1F6886868ECA421DF3D15754A3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:40.198{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02505DF090BEBD75ECCA7548DD7614B,SHA256=6A99AB8B0ED7670F154411EAC67F4056CA4284AFA0BE4583EF48ADAE8DD8F242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:41.669{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB6ECFF06ED71C118ED941BE60F5BD1,SHA256=5E72FB33B87370E40BD2E6CBB45FA8FE6FB6C7BD63A49D6798DEC3145BF5893E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:41.292{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0C069C387B422BB132A001C9570F4F,SHA256=0466D5D99A1A480B229E729F84439046FFD396A886A06525460E27AFED6BB4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:42.763{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8EC3887DE09BAD8D4076E2BDC878C1,SHA256=174A6C0F089350F33EA345E09692697BCD26F619B9BD5E10223621C07063804A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:42.385{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9346D3D0DB049AB9BE9AA5C7847E6742,SHA256=68A9BAC2B32C9FD3B7C0228685B013D8A0FCE5683A73DCF6292D687D741597D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:43.966{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281FE46B75EB1C7099A8B6A0D4B6EC32,SHA256=059F6C0090ECB65135F4A532A83BB46C84F9A5100B4B832F97B18967011BD686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:43.479{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B0159BE11A7DED53CDC6D1800FBB9F,SHA256=7A293DB5DA075CB289BE4C348E15CF4E9286D8370F3BD255D2397127F115613C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:42.161{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49846-false10.0.1.12-8000- 23542300x8000000000000000272336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:44.682{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E410880CD2FAB03ED9BD038D9A5E51D,SHA256=CCBA15040D043F921D9C81BE0965CA15692D54D91D7D885D97A1F7E4D3E89042,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:41.931{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63880-false10.0.1.12-8000- 23542300x8000000000000000209040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:45.060{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47900765750A16982A2238C2919095EC,SHA256=0460A7CCA145C8513DFE2DA210BD3A4F901BF6EB94E2AB158882A4338759C390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:45.886{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51919F8F6EC9B8E00B7FD5A26930CDFB,SHA256=C4252A4D02CD49856DE92AABC2CC7FAF8D16FB3DF6CFEB1CDD672B59FC5D5A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:46.373{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632FED47EF370678E8A515F5F61D4623,SHA256=4F3856EC5587B9AF75F8927DAD745873F9D18312211008253D00F8528F53BB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:46.979{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9914CF4C9178F25F11C8B1CB1892D7E3,SHA256=3BCAB0E8CE61BC0D3E838E93E7253B2A6A83F4AC637E0EFBAD512079155DB35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:47.466{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F6DB379970723BF0CA742EC905B14F,SHA256=8EA71EE42D904C7889A55C3D3B91210EFAED5275F7276C02BF0783094F65ABA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:48.779{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2226FD163B48FA2041C58E2346784328,SHA256=B661228F9748156B151423F8294DBF39E0B9939363D0E3A06EB7B7991DB9A0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:48.183{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0B889D82F6F18F46E03B02D95D8CF5,SHA256=2E6304536D3151DE4F2A330162B0AAC03627E4A5FA879501AA45B7D0F68604AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:47.057{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63881-false10.0.1.12-8000- 23542300x8000000000000000272340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:49.276{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE21EDDEB75CA376827D8A261D59139F,SHA256=6B9E40AB312C50359700B5A38755FF4C1234B65D1477E02D91CA5EC9CEE06A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:48.161{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49847-false10.0.1.12-8000- 23542300x8000000000000000209044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:50.091{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EEC1B48A79B0F0FE189A08659934B5,SHA256=B15F888454FF9CCAFFB0AE6F34131F0812A79736B796531F845430BC962B8EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:50.370{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DD17B49A225CFB543AA8ADD198A075,SHA256=0606D1A0C61B5FAE15AD22E042ECBD7AF713A6ACE1FD6C93AFBACB423E4DF44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:51.185{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6790ACEC366472EF1C14D1C6FC0371C6,SHA256=BDA94FD101A750237F5A74B652433462ECE27250266AC8A4503B6A79CF13D8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:51.573{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3BDC0C1781AC3E7CF2F40845CECBD2,SHA256=6251A2A38097077253E7D50E5258E4A897CEFA62E127798865AB715D8150CEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:52.435{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=562B3B10260C876437B30742783371A7,SHA256=3B21673FAFE02B5B90E0F43E09620A1BE0ACEF9F6CFD687A3C19FF8C144F7FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:52.279{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F7ED99051B7986AB1764035EEC61B2,SHA256=FAFC49EEEB2B104B9FCE594C4833464B800065A0F70D8A808E3995F0DE2BBEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:52.886{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7100BC32FC6B84CBDE605BADBBFD8A74,SHA256=12A262939CB3BFB52DAC78A401FE2DF1DDB50AE72308F3CAED79B59D56367593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:53.482{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA2634048F8062FA863FCBE499A39C3,SHA256=471E8D1BA74DBF36EF1D93B20AEE83256DBF6C23EC364212831EEEAD412C3A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:53.980{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A132E1A92333AF0FAC5B545EF7F60ED6,SHA256=B2BC04E45954E1C96752236A7771AD77321FDEAE010212B7C2FA5C6CBDD3FDC7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000209058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000209057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000bfebd) 13241300x8000000000000000209056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d967b7-0x642bd76d) 13241300x8000000000000000209055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d967bf-0xc5f03f6d) 13241300x8000000000000000209054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d967c8-0x27b4a76d) 13241300x8000000000000000209053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000209052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000bfebd) 13241300x8000000000000000209051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d967b7-0x642bd76d) 13241300x8000000000000000209050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d967bf-0xc5f03f6d) 13241300x8000000000000000209049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:08:53.388{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d967c8-0x27b4a76d) 23542300x8000000000000000209060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:54.576{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E2D78FFA6BBBF2EC59F5DB3E3EE387,SHA256=2CB43CCF0D98C059E6AF1FAA830BB28776A6538213B8222C8F813ACCE90CD77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:55.779{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7212FBA14DA2353311272CAA1980102,SHA256=BBC53981F67FDA493AEFE7A38D84AB14A7CB8ED4D3C1101F70DFC42EFA91A53B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:54.146{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49848-false10.0.1.12-8000- 23542300x8000000000000000209061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:55.091{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4577D80F32C559335D61837A0599692B,SHA256=1B8ED9DEBD64830CDC513085F3D1FFD2B23B7A73E342AB9CF89F0D8ED4D3B3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:55.792{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=91A5E5FAA2064DF79AB5975030E7603C,SHA256=DBB50F79F1470B2F6C09E75CD97115BD97FF5668E98AEFCFD4A6D848FD2A00E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:55.074{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC5543B337D82805CD8815C09BB8BE0,SHA256=ADD2A4B5F775B6411308462431C9CDE4E8CBFFBC8FECFD1DB5BDBFA7F7D4460F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:56.386{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CF7BF8EF5196476A5A641860658A85,SHA256=56216C8F6E2C12BF6205DA5C5C639E461791ECD28237C537A88261969A907C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:53.010{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63882-false10.0.1.12-8000- 23542300x8000000000000000209064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:57.091{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBE370F2010611635CDC246E5D9901E,SHA256=CB39270947B2ADAB1944AB182D8A618FEB9F8FB7D60609605E0FA06671B663BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:57.480{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EB3FBAD690F4B4684C721C57E985AF,SHA256=5D229A4850AE7A2AE742CC980FF5E124B52B8E53ECF6F2745F900A358F8C476C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:58.404{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E4AF1EF9FC92D7D197FDEA282A3A7,SHA256=5C01A5DDB684DC05B95505118F15698FCD342E92AA2FE23DC627F553D4F6A30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:58.793{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969EB5C2CBBC0BCE652C7A226BF59F42,SHA256=E5D38DFFF48FADF86115069BDD425C2AB90BCEABFD1EA319317BA7EBD4ABE947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:58.293{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7447E26598BBDA5B30F4DC7701AE8E41,SHA256=46BDE42E172922927165AD02BF418E65AC4130AD31A5DA7522558DD531FEF46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:08:59.497{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711A68710FB2909364731CF85DB14CC6,SHA256=8D9EFD33A9A39E491338534720ACA73BA589274FD10C673AAFFECB0537E3B147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:59.996{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C3D6C248D5C047790EF19C33ED8F34,SHA256=2F10382216A9C866490C762B2BDCAB4AF5C29416192C2DF924F31677810D6616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:00.591{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1CB69A2FBCB33C40C2C001F99B8BA3,SHA256=017588DF5EF337B2203886B2B0445B9C262D755E05166D684F3CF91981F90674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:00.560{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5C7192B6E5CC5D9A72771EF356D02180,SHA256=4299F7921B96BA18491E1A608D7BC0BCF3FA9B7804B9DAB9C68F25BA08281D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:00.098{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49849-false10.0.1.12-8000- 23542300x8000000000000000209069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:01.685{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448E630AAE42327FE56DF4B48E4874BD,SHA256=53FF39557B763C0FE2A3EA1F67B01D00B3DF79DDDFDF96DEA1A38299C3BBC8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:01.199{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64388C44EC71D4F9EEEF2F74FBEB9FF,SHA256=FAFEF6F000127E6CDE6210BF19799E6B7E59B4B7D4439AAE2AA14AAA4EDBFA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:02.779{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58044E201985C25BE1C1E6A2948890E3,SHA256=D32E4D3C853C2629FBC821BB3BE8895959FD096473487F263647B615518A6169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:02.402{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3737B213111EDDA5C9E22F9DE8F89B21,SHA256=F600F2C217039AE86E0E768676ACB5356DD4713FAC93F89BAD9ECF90E1950D0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:08:58.947{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63883-false10.0.1.12-8000- 23542300x8000000000000000209072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:03.497{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:03.496{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FBA046EC2992802BA95EC129DD213F,SHA256=CF9E39ACE616E90317944F3C215AD5B37F3A568722008FC25AC7F78BBF994A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:03.489{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49850-false10.0.1.12-8089- 23542300x8000000000000000209073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:04.091{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85118AD2C03CD1D31A319D7351EE24AD,SHA256=A23D9855F86931B486FBE44329A64F65748AE58477AAA3CABE3682582992EAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:04.606{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA4842A780203E3AB4B56A7B4445793,SHA256=94C156951D9E09ACF78B1539C1111ABAF05D522A56F31CE7A230DCF959611CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.404{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A66ACB4C39BD0F7C5160067759386DE,SHA256=E7CF7E4F9895F5CD17A5BCB1411E2D1570A22262A687D6A539DC073E492B4A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F1-642D-0001-00000000CC02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-72F1-642D-0001-00000000CC02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.310{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F1-642D-0001-00000000CC02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:05.311{8E625C7F-72F1-642D-0001-00000000CC02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:05.699{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9A1B0B88ECCCA104E34B12B3DB021C,SHA256=2F7F4A059AB8CBDB55D3B644437FE9F9BFE61DC848202499415FE60E6EA730B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.607{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3068FD16165DDAD5B35EB583108E4D3D,SHA256=E0A35365EBF7F0F2FD77EB59CC9E70CD113A089322A8DC8CE46F1826B1A38C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.513{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33ADDCDE543F70E80F5673982808F7E0,SHA256=637EC326E320FD058F12F804D8CD1294431586B6CA4728E6EE6116203DF39249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.497{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F9A5447A3F0C9973B0A87C643DDDD472,SHA256=BDE1D775E2047524808E656EC07CE998DE1AF399AD8560E5EA4AEE2F86FC5DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.466{8E625C7F-72F2-642D-0101-00000000CC02}5242524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F2-642D-0101-00000000CC02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-72F2-642D-0101-00000000CC02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.294{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F2-642D-0101-00000000CC02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.295{8E625C7F-72F2-642D-0101-00000000CC02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:06.793{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE47B3DFB05DB222548B51D93C66C97,SHA256=157A65B34DF49CE147C1C8B0FF6280FD9642958BDCD9FB8CAF7B1EF621EB1EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:06.371{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=28311BEFA2B184848932573FB1985D89,SHA256=7F48613C3B79DA7657377AF9F510A67E957A87F0AD62A572C4BF080F44834950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:07.591{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E49D21C484A0B372DEB6A1CDAA3FCCB,SHA256=B8DC4615D24F27D282C7F5C8AC352864E42DCF65D99AEAD26DF6EAA8700C1485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:07.996{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D613B966DC2C7036ED32F6E57B412F9,SHA256=F1D599F7692734CD7AEB618DDCF5E5A91B234DB54D090A94661D70CCCD4E092A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F2-642D-0201-00000000CC02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-72F2-642D-0201-00000000CC02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.997{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F2-642D-0201-00000000CC02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.998{8E625C7F-72F2-642D-0201-00000000CC02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:04.135{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63884-false10.0.1.12-8000- 10341000x8000000000000000209134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F4-642D-0301-00000000CC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-72F4-642D-0301-00000000CC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.872{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F4-642D-0301-00000000CC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.874{8E625C7F-72F4-642D-0301-00000000CC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:08.685{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3FF61D0C3A95E8956E8AB08AF867D1,SHA256=BC6A4DB39A749F719DEF7274196C28F06C677227B2388C26D29963AD67B23399,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:06.130{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49851-false10.0.1.12-8000- 10341000x8000000000000000209149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F5-642D-0401-00000000CC02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-72F5-642D-0401-00000000CC02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.919{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F5-642D-0401-00000000CC02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.920{8E625C7F-72F5-642D-0401-00000000CC02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.779{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FD920ED279E6A394D57CE7B417A009,SHA256=4767EC3897207120518307A02912412440AAC14819699A70ADA3FBCFB2A47B8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:09.044{8E625C7F-72F4-642D-0301-00000000CC02}34043776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:09.090{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B534EDF33767506E245E2D6D168306BD,SHA256=C3DDEC19BD7874E1E0776B50FE0C1415ECB8CBF72D6AB166B1EEFB7359F3D10B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.779{8E625C7F-72F6-642D-0501-00000000CC02}26601952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F6-642D-0501-00000000CC02}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-72F6-642D-0501-00000000CC02}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.591{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F6-642D-0501-00000000CC02}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.592{8E625C7F-72F6-642D-0501-00000000CC02}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000209150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:10.060{8E625C7F-72F5-642D-0401-00000000CC02}36321240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:10.184{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC47657DD144480F78D95CB4C6389C6A,SHA256=91FAC3D03DD9981A1BD4A650A1D1E7A46F69CD431D83DA1BC9F225D7E3876F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:10.137{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:11.185{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1365108945F6DB9171216646E850820,SHA256=EB0A06C274C9A4922EDE617D6FE15183A1DF5B3189C3314E86F546257BDCC941,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:08.994{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63885-false10.0.1.12-8089- 23542300x8000000000000000272367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:11.278{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD4B6ABBB3BBA4C719AE5098A59FE5F,SHA256=B7E55DCD92D0A83424A76869CC2E7BC61DA37460B9480B67BCE8612923BAE35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.419{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A090BCA8FB59D59F351FCADDA4E408D,SHA256=EE0FA9BED099FCBAD6E8BEDC9D560A52BAFFD634B2CC6F2A1BE7838EABEE4CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-72F8-642D-0601-00000000CC02}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-72F8-642D-0601-00000000CC02}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.325{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-72F8-642D-0601-00000000CC02}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.326{8E625C7F-72F8-642D-0601-00000000CC02}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:10.056{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63886-false10.0.1.12-8000- 23542300x8000000000000000272369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:12.372{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D31750CCF65057ECE2F9463BDA8CB1,SHA256=82082E23D6C867C15CC11F8305B2C40900F15E38AED9EA161A988204961EC1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:13.515{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B8F758945EB12FE7312410E7B50A9ED,SHA256=74B98465E3BC6948312EAA984DAAA1D8307532A87A681BD545BA823D27B6AF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:13.499{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF6DC9E4357397C1A00CE4F7140CE2D,SHA256=35DC59BFEAE6E50A845A05292AB2AE8F72CD8C2D3430F510624EEA0D63DD8E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:13.103{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-012MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:13.575{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64CC90549A5709D3102E297B18D8AF0,SHA256=6BE76052B15C7D89A64B07938B9DE2CF75C311CF7B2B2D2F89AFEFA0E9B620D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:14.688{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C9B9F3C6263E4E5B341BEE268BCC3A,SHA256=0EE89B5A35E9B8EB555FD584058E73B60388B0BDF432BABAB452862D4F7CAC59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:12.083{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49852-false10.0.1.12-8000- 23542300x8000000000000000209183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:14.109{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-013MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:14.778{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C6701EA9CEB029FF4232872E5AD3F0,SHA256=BCA4B1E6EFBF073B854350DE7AAF3CBFD60C21B843D4FE94EDD1BBEAD77264C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:15.891{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F24DCFD7880D3B3FC592988BF46720,SHA256=E9F8BCC6A9DA192122A22967F34187788F517A7C624CD893F90586976B22C5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:15.872{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4250F48BAAD4CFFD861174BBA3A0A0,SHA256=CA5ED4502585AF12562D18428828F568845E42DC7088F88B2DB97AEA44C61D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:16.981{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766AA2D22321DDB3D7D7DF97B46069CF,SHA256=A8A34919D82237DC04A828CDD8296653B6EFD8AD34D680D477F6151C761983B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:17.094{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7F1A17D12C4F71C449278EFC08E48A,SHA256=4A1FA75C0FD30BE021FA808A3CA953F409DA021B72AAE83E828AD9095B9C91B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:18.188{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6DB297CA8CDB0F295B71620793E035,SHA256=7C75F51ED120433CB735C94674FB5435840AD79AA322570F922D238C681C668C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:16.009{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63887-false10.0.1.12-8000- 23542300x8000000000000000272375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:18.075{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB018999BDF834167FFFE4FF6F6B8C9,SHA256=739FD91E6FA0FDF4917BAFFD4E6D714F775849E7E7C046B9D7ECDABEAF349D74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:17.211{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49853-false10.0.1.12-8000- 23542300x8000000000000000209189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:19.281{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F809656AE662442BEA781078111E80,SHA256=D9CD01CDC53CFA7E89B1A15FBDB670CD1E7AE04F17E63C0BCB5A151638E182BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:19.278{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F3BF7D547E75AE34AF87F9A6A5D642,SHA256=4FC43BD3A81646F45B6C4FA082CF9988B461EC73FF913CFFBC84AD7DDFC5A4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:20.375{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A065BCF5BC39500F6E0F19605EBC662B,SHA256=ABAAD4D182940DB780E1112F6CE709F65C0952FD004217D1C3505731DCA2A3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:20.372{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8992700CF95846B6B5FC0492F792FBFC,SHA256=91ABE15C024BF81C971C70552CA616BE248B0E2B7689F8B7863F951514B315D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:21.578{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26E69B4DCB4E53A0EF3A68F6A1274B9,SHA256=5C867A3B10C1E6E81E6985057EEB21F0DF6A754AB58CE1EBF1C8F3A6CF07B17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:21.591{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095DE2AAE68318BA6123C9BB33DB9DD1,SHA256=CAD2F81578C717055D7C88C28B0159F33F23609D0FB99DC1065B51618713DBF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:22.672{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E4948734F4049981700FA92D5EFBE0,SHA256=242A3C7B91CF20E266E2315BE3008B45EB34E668DCD1A031CF3B82BFD594B31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:22.669{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1865C4AAD3360AA4366BDAC7F2ADD8,SHA256=06CAA957C2E7E396E50C6F9FF9886F56A8FCFBEF8A2F9A156A06F4B70D0E6381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:23.766{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0304D49BB0F3463D7E57009FF7ABB39,SHA256=A65D8E68D0370060E0621AD2BDB5C0BEFD43166CA118F4F31BF783A095BD2C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:23.763{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A971FDE48152BF2BC157F1F5C92DA3A,SHA256=FDEA598316B803ADDAD108B3ADE642C774DED1C7FA0394F1A5308264EC688362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:24.860{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623852153C40A12AB095C6079F31FADA,SHA256=647D2450A8C4DE5BD9D4BAB5E4C2990B4BD2C349E531217EF9D076B52F8BF2F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:23.226{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49854-false10.0.1.12-8000- 10341000x8000000000000000272409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7304-642D-0801-00000000CB02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7304-642D-0801-00000000CB02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7304-642D-0801-00000000CB02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.904{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.906{EDA2768C-7304-642D-0801-00000000CB02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.857{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106A1B00E015FDF848332B54D77B396D,SHA256=5EB29C4A199AA1B4FFE4D2CBAE6B4A02EBC924CE1EB101BA595D4B050B07B1A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:21.916{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63888-false10.0.1.12-8000- 10341000x8000000000000000272394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7304-642D-0701-00000000CB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7304-642D-0701-00000000CB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.122{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7304-642D-0701-00000000CB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.123{EDA2768C-7304-642D-0701-00000000CB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:25.953{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC05730185BD2777617F34C33446F186,SHA256=3919B17287AB8089C4D9A92A56AA680157BF652CC26EF290DA24EBA3E0B1E4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7305-642D-0901-00000000CB02}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7305-642D-0901-00000000CB02}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.763{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7305-642D-0901-00000000CB02}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.764{EDA2768C-7305-642D-0901-00000000CB02}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.232{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB2D00AD7ABD0D949CFE8F1F8285A0A6,SHA256=C145F748F92A8852BBD07AEE3408EF20EFC0967CA298679CA92A96A909427BD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:25.107{EDA2768C-7304-642D-0801-00000000CB02}1843636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:26.420{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EF619387CCA4463E8D5FC6358EF294,SHA256=7D6D44208F47FB8ECAEE46D4D46332974C2EC64C79CE71F558A364D8A7039D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:26.013{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=497C989868356F5FACBDB59860997079,SHA256=B7CA47F9C14C03B190FBCF2535D28B47665EF825749082AC8196C700B005B7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:27.156{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4EA4CA201CEAE39249AF883BD76BF5D,SHA256=8B145AA5EE131C047D751FABCB92758D5AEDAAFA29C733582BC428000A19CD61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.650{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63889-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:24.650{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63889-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 10341000x8000000000000000272440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7307-642D-0A01-00000000CB02}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7307-642D-0A01-00000000CB02}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.873{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7307-642D-0A01-00000000CB02}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.874{EDA2768C-7307-642D-0A01-00000000CB02}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.170{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061CAA9B22C84DE844376C3F2982A472,SHA256=F75B7DEC32EAFAC0D319A73C5FBBDB93CAD52D9452DCF9641DE6208B3D19BCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:28.250{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D883F150637CA59F770979AA273CB25,SHA256=4AE8D2DA166D9C65D478F5A8386C98763A6231817CA2CDB143E285B75621F327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.842{EDA2768C-7308-642D-0B01-00000000CB02}36882696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7308-642D-0B01-00000000CB02}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7308-642D-0B01-00000000CB02}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.545{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7308-642D-0B01-00000000CB02}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.546{EDA2768C-7308-642D-0B01-00000000CB02}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.263{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07403C7E94FA65DEA6BE07304E21506D,SHA256=2D747109336F72BFD0C19980CD76CDD82D7257B467354A1F34412DE3C8370842,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:28.076{EDA2768C-7307-642D-0A01-00000000CB02}13442840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:29.344{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6DDAC30827A9488EECE0F39759AFC1,SHA256=1FD14AA8E77256B44204657E784E2B2EA25CA93F98F9F913D936CF1BC12F57E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:27.088{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63890-false10.0.1.12-8000- 23542300x8000000000000000272473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.545{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF99C3AF10277DCC6136529ABB661B5,SHA256=CEBC64D6959AC4DDE6DB6FB8F594A37FAAB2AFB4B518CBE8FAE1A3507F8D33A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.248{EDA2768C-7309-642D-0C01-00000000CB02}37721088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7309-642D-0C01-00000000CB02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7309-642D-0C01-00000000CB02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.045{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7309-642D-0C01-00000000CB02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:29.046{EDA2768C-7309-642D-0C01-00000000CB02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000209202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:29.179{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49855-false10.0.1.12-8000- 23542300x8000000000000000209201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:30.438{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0BE519057C2B14845D8420C6D20B13,SHA256=E5D6297AF4A6058315A208FBE2D8751AF87CDFE9793821C29DC12D1A902675FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:30.576{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FF5F2C281AF91238DC7EF2A7A20643,SHA256=306D1B51DC01C3C78784AA8FA90D7C4BFAF246D48E8CA55167AFFB877E13A23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:30.279{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223DA0232FC7B4231F925424F11FC7D6,SHA256=6665DED1858BD4CEF8E9BB7135EAA6D8C4DCC9C8E717250E864A7A4108D95C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:31.531{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4D7E31A5393E0AB53EE0D996962E8B,SHA256=95D302A1812AE0E2157E88A5E1D88CA6CAD831F683B9B5E6F1E6F4174644A615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.791{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BE937D76B4D8C389CF55548B245445,SHA256=A0D5E03A553C7D960B5F14BAD7577D4B4D1BFB2C9BABD90D03FE4D26265AE354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-730B-642D-0D01-00000000CB02}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-730B-642D-0D01-00000000CB02}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.076{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-730B-642D-0D01-00000000CB02}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:31.077{EDA2768C-730B-642D-0D01-00000000CB02}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:32.625{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171C9D270FF92C49D6D1ECB86329DA07,SHA256=C92072B417FABEDBC8380808BE44CE3AC7C1C778E7635BA01B272A504FBB636B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:32.877{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E7F66D7997C24009BD08CD5E9BD2C9,SHA256=A94E1167D12945FCD27CEFDC5C2E602E6B7CE27ECD0CCC181A55C172E5B7D799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:32.262{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-012MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:33.719{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CC13348FEACC65F767D633F7BAE780,SHA256=1388F483D3B1589DDCA14D3CE6816F246820FF90C55EB802C8D88CCEF5A99CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:33.975{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA396A04B2F6C737C0F696390D5E82F0,SHA256=E74E1B88DC0F6EFF7B0066D88F1847042D0DB1CE43AAAB90F1A41A202495B945,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:09:33.649{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967bf-0xdd7ccd7d) 23542300x8000000000000000272493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:33.269{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-013MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:34.813{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F78FA3D8565A5BBD81B19D4E804C37,SHA256=202279CD659CED1FB292924BDE751920A585A6368EFA951AFEE4D3A4FB984673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:35.906{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03116B44891C12AF1E0E85BB50FAA6CF,SHA256=A025F98D9F6CD4ED034B76BE869B912F6CC473D169CE6042C6386BA27E7CC5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:33.049{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63891-false10.0.1.12-8000- 23542300x8000000000000000272496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:35.178{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1945F62A20B63DC2229A0F0266016571,SHA256=FCA9841F25828B7FCFABAFD031CF75FD8BBF731FCF3B0BF3E747CC8834769E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:36.272{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F53CC3328DAB4B46B3F3A94BB6E059,SHA256=D7B907B4D72BBF8AF0DFD0F881A011456297849093E4BCD0B8872C9017FB3FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:37.000{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70F229E3FC7797646FF7617666762BF,SHA256=804AC9A59FDA2AFC22CA3DE7BC365C12A83542EC4605A8CB305C08C10D4B65CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:37.000{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=764E47ADA8E53C289692B2EF319D7035,SHA256=1541C7AE53ACAAA968CBBA598A794F5DE4E8FC5AE9F7F5A28F910BCFC9614353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:37.475{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B618897902AC68C553C6A494E7C0657,SHA256=82052DE53544523D1B60D0527A3AB6B19D573C09F97C8125697B625E6A9BCFC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:35.117{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49856-false10.0.1.12-8000- 23542300x8000000000000000209210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:38.094{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BC6A31FB0625D6B20A0F71D88658F4,SHA256=FA244E5373202CF4CA459EEAC10C653F4E909001792BD65620BE91D8B9CD7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:38.679{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E4186DEC32F50CA77D29D0FA9D4B59,SHA256=640EED3F56DA7C8E9029623A31AA5E0DC129CF017E2A924D10443F554DB7BA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:39.188{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A9B34585EBE36F9FB175D32566D01E,SHA256=2E17FE47429B65738039FDA8439EB30F8DDBE141990C0191D710A8D0C61C71F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:39.772{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F73698E59C0A18330631D05359E6CBB,SHA256=22E2F23873F242BE5988CCD9DC62B5A35D725874515B4BC1AA04D79F29239554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:40.281{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE12D01F92E590DB602309489B9DCC3B,SHA256=100A6D22CD1BBD77DC76281F21E358A67D0232CFE793F7D37BC4185F0028EBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:40.866{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6BF7FA3C1DA34C2927A2B2681B9C67,SHA256=85F3867612008A76CA3D14D1A2B793F5A4D337ADB15A8C84D01EF597E23A61C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:41.375{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635DF307AB4ADFA2226FD5911C290188,SHA256=4B20D77C2955B638F2AEF542D15C46421AC7A9D7759A9772164915C7FEE8CF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:42.469{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B8B8CFB41ECD367671FB15722F17DA,SHA256=35C90E72A4F0F6F095DD8DA5928B8F4685C2FD89A37A714B9BB8EC86CFCC5A80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:39.034{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63892-false10.0.1.12-8000- 23542300x8000000000000000272503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:42.069{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7F2163DB9F36F1B3CAB7B97FD4D4F4,SHA256=9FC8FE0BA6D9E51E0D925623504F9A47B8C9933C5C269E34AF76103F98A39E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:43.563{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2995289AD473229C96C4E46B5EF259F0,SHA256=8EEAF60BA70355A94573B76523B5B3B8B98CCC4E148F1457D9BFA90921AE618C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:41.085{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49857-false10.0.1.12-8000- 23542300x8000000000000000272505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:43.272{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F744068E961446A0F3748119DA0CF1,SHA256=DF787B2A71ED3FC31C3CD9F96BF5B8CFE49A61E6C3E5EF58DFAE9FC3DF48EF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:44.766{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E4DCCAE2ACEAD443F23790B3178B87,SHA256=9338AB778246A4533DFF2B66C37EE2D60B26C03326362CC2017BF1AF3BBEFC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:44.366{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7427498078E2C4DCFFDC11630E2BA182,SHA256=FBC037268EAFC2904CFFE0F80B64A1A20D85724B4A1C894ACFAF5F06C99ED851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:45.695{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53861F8D98FEE685EBCCDE429A99A3ED,SHA256=6E389692A87F5D129B73080B28D8B90911D715127630523904B48DAC679F60E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:46.078{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD4CAB6C49101E54777C9E725412D85,SHA256=01E72A0B549FD28E4D991917D102EA5C51C0BE2982833349A2DDFF4E5F73CC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:46.898{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20DBC68E3D4DE750AA2CC7C9EB63A45,SHA256=8B7E722A39943244E91133CC7283A94F46C2D506A838ED24C90BF1E53E2F3427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:47.281{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9FABD5FEC8D1B52039BA6F65B27E81,SHA256=C9F64645A92AFC97DE0B0BF81EF27CD26483CC6022FC4EE99B404BDC587A6352,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:44.971{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63893-false10.0.1.12-8000- 23542300x8000000000000000209221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:48.375{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DEE0CC42838DC6B47813AB72AC89DC,SHA256=DC54A667B1E1CEAA7E3813EA43FB2A57A590DA635649B7F3C2A08560EB19E7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:47.992{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9902C41F5735E570CFDC1CD5C00AFA2,SHA256=E500C68AC191A8A90E0487A6B7A557B355279D439B269A5DF81E850576F2DE70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:47.117{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49858-false10.0.1.12-8000- 23542300x8000000000000000209222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:49.469{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5DC186C392E3AA2D3BCA614135F48C,SHA256=6E02D492C9B768B9284C23C8AA696D3DC23915FFD81F57D24263AAAF6E8DEB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:49.195{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505561E339E5C1328B855A7D29ACD98D,SHA256=CEA91490327423C1C28234D7C0042212972F06A7E7EDB3F0FCF7BC2297898EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:50.562{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACEA52DFEAFD3DB1A0485DB13A35813,SHA256=6865C3C910DD4B3FD0D93BAF418F7C5C4FB40AF825F482A53470125C3396605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:50.289{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C652E90FD0EA7ECF97E041C77278E8A5,SHA256=7BFAFFC54DFA036FDEC3EF07A05B124C92404A8C630F2C3FBE78A59022553CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:51.656{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C601BD168FC3DB9C05B13160A78CBD,SHA256=E2C07590CE26300D023B7F5F7CB61C182404CC1F595BA20C62419F1D59603717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:51.492{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF5E80C693993BCE39AFAEFC3C942B2,SHA256=183642851A0FD4F84F97AA188F7753203052D43F999C62A3F9E5C7DB89D14CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:52.859{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D742EEB8426837A997F78520A607D0B,SHA256=DA7E7CCBB2E1A8AF3DD1475DE704A758BD6C6624871002312C26989F24DFD6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:52.437{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5FFAC7F6651747AFA63DFF43A80925F9,SHA256=43A9C83AE52C86C04C4D35EA9DDBF9A87010845B2ACEBE00D63ADF009650EE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:52.695{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED68DF3F54BB46AC6CDB8E79A2B149,SHA256=340F4B3D0D70E0CEEDFDAED3028B2AE1A02C38066AAD7EFD0D8070EE8B704893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:53.953{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB2E829567348EF6132A12FE600A05D,SHA256=CEECF57AF44EE4FCA0196FA71CB453FDCE350361C02FC74B43F9F4CF5D5A77DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:50.955{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63894-false10.0.1.12-8000- 354300x8000000000000000209229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:53.054{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49859-false10.0.1.12-8000- 23542300x8000000000000000272516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:54.008{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1BFC5E8085A56B693D31668802BC2D,SHA256=387B4183C9B34111AED910B7D4AB97780D751D6D2EE3A4642752635EE9129486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:55.156{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A68E60C8BB6AFA9D2D2ADA0512F3A2,SHA256=BB1DF6F6B85727609C3A16A7D9E92614C6D910910398631F943EFA99DEFA5593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:55.289{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=50F51022891B3004A3051198C44A0383,SHA256=3189BBFD93253389E7252BB4D31A2584F6A257124F4A287A1A55DF1520AE6443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:55.101{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED7C16BA5A8C207CA59775161AEA0A7,SHA256=F847E78E0615FB85D857FC442B908F90760E4D6ED7121BD73AC83150BE81624E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:56.469{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAF1CF90E223890E5DF6FFDC52051D3,SHA256=6F0E71FCE53C90180EFD2C04CE7211D518F108AD5364BFF4BCC6E58362E696CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:56.414{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504520A90838FFEA9F7E4FFDF5F8B789,SHA256=260C7AC5DEB9317D3937FF35E19F13F23624F836D0BD5DB5DE0928F797966071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:57.781{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A3E579D4783DBF1C0F359E4D5666AA,SHA256=46C4CCC6D38661068C1CB3A1FEAFC3E4ED1236D9FF65DC79324E6B984028DD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:57.617{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9400E350470942832210AD5B38D8E0C,SHA256=1DE384BF32BF3FD5A9E9C9C3B3EC2690A2630F94FDC4DA23F10120BDB33A2E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:58.984{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6965779DAEC06030633FCEE9EFFE82B,SHA256=CB49A321028DFE45040379E6D3EE40BAEBCAB81E81347097B702725E3949801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:58.820{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB33423797E976F6BD3D1EB1D80379B,SHA256=8AD4D083D098487045569C78438D0391EAE34406C304CD95234363BB0A1118DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:58.305{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FBED4EC653C6DC3C352E01DA08C15D70,SHA256=89CE5F673BA722D92B88AC9FF9737451C1ECC165F63AF215299310ED9E99F3A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:09:56.924{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63895-false10.0.1.12-8000- 23542300x8000000000000000209234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:00.187{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583F0DA87038D28A60C60400EF29F87F,SHA256=0CF7CD288601289E2F8E9E6E66969807A1BA9F7AA1CA7112D989D7B87DC74D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:00.023{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A261C3E369E3C490F6458FB1948047,SHA256=18C7DFD917864B5B6369448D58A4206654C8FC76F1AAE3ABC1A18260E4812F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:01.391{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA159D52D525F432EA88E20861E18A7,SHA256=69AB3FD780CE8B56670DADBC68720B492508B37210BEECD109C5C2C135A17C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:01.117{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974438B66972A6F73E400AA7EB5617C4,SHA256=C37E1477B62D0B297CEF378871E02DA4E74A5B1927FD5684F8315DD5313F4D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:02.703{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB8DE52A0B494E798137793B5382958,SHA256=0289FE7B0E020549EDD750DD9700C8A8445D800CCEA876B9AE2B8D2138A3F18B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:09:59.085{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49860-false10.0.1.12-8000- 23542300x8000000000000000272526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:02.321{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5469BDC5022CC6713A80890341168A94,SHA256=4C6A93E66BAA28B8D2FAC9B89B03DCBBDA29234BDF7FBDA65B0BC756D21471DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:03.797{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6D8C14589CFB8043F65EB6DC5AF6D3,SHA256=02F125A0F6F60E8D0AB198E510722B8A526AB9320239505C0C297D818BBE94E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:03.516{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:03.414{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857F5FD36EFB90CE611073F8C911D581,SHA256=DAAD140A337CA5F684DBBE18BCAAAA4A2CB1B034AFB29ED77B9592A07898ACD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:04.727{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B721BFCBE6C244FF5D91CFF2CF6EE0,SHA256=02DB920A9EB25E8DC03905BF1AB69FDA13F8494B91598B9956157186645E9CFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:03.492{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49861-false10.0.1.12-8089- 10341000x8000000000000000209253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-732D-642D-0701-00000000CC02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-732D-642D-0701-00000000CC02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.250{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-732D-642D-0701-00000000CC02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.251{8E625C7F-732D-642D-0701-00000000CC02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.109{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1046850C80B56F616935F736897E9965,SHA256=8DA09068DF7CA2D2F1C051D9DB65CEFA299F29F56E0A50A53AAD352F95DA6ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:05.821{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A7D4FC91E1930DE1223E1F7856F38C,SHA256=51F505B4CE505336706581DBE9977307AD23997F114B5DF96581CD38D5B49D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:02.096{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63896-false10.0.1.12-8000- 10341000x8000000000000000209270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.469{8E625C7F-732E-642D-0801-00000000CC02}31482816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.344{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=156D143F61CD06C05E6DF1B722748AC6,SHA256=39353780F2C4AB8BF0064A3A4D2769677AC8F81FDBFF480BB5AE5C5813DFC183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-732E-642D-0801-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-732E-642D-0801-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.312{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-732E-642D-0801-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.313{8E625C7F-732E-642D-0801-00000000CC02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:06.203{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7D8A43B2BA36EFA26BF0128EB68E2E,SHA256=3D76904EEB62398C610BF1E7E8AD3DC1ADEE9931E9793BB92195631969A95C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:06.915{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE8E67A4A3E5BFDBCBB14435F816E1,SHA256=340C40FEAE82C9967DA197B36D24FDB2534FDC9EA54DF67F21B7783DFCBDCC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.531{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6705A4BA37E015AFC782099665CB2325,SHA256=D12091177540FB846C3DC5A5516A76C5F8FA3B93AFAC212521668D5581994FE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:05.101{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49862-false10.0.1.12-8000- 23542300x8000000000000000209284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.203{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B7148303DAD8D3FB52029B3808C1E16B,SHA256=D91E6A6A6E70DED7D4B7D7AFFB771A588C3CAB9A9EEC0006E0767C772D41ACD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-732F-642D-0901-00000000CC02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-732F-642D-0901-00000000CC02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-732F-642D-0901-00000000CC02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:07.016{8E625C7F-732F-642D-0901-00000000CC02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000209300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7330-642D-0A01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-7330-642D-0A01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.875{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7330-642D-0A01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.876{8E625C7F-7330-642D-0A01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:08.406{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3435542FB528B32A91666CCA16B52F3E,SHA256=5BDE88F283DC505371F21AEEF68385174DF3FD3C8CC219AE7B6A89A9CB9CB982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:08.009{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA2CC485BD04C0FE338D26C80544BB7,SHA256=8E2B00A1F7B5E8884512E65121FB4B3F2FA9B53EEA9E0182CA21DD53E49685D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.984{8E625C7F-7331-642D-0B01-00000000CC02}31923976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7331-642D-0B01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-7331-642D-0B01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.812{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7331-642D-0B01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.814{8E625C7F-7331-642D-0B01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.500{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8E0BBA680C0086E27EAE3F65492547,SHA256=32B5F1E2BCAF4E3240CC6C7F7848629E9F3947C3D9D766B2158524563F5FF2A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:09.047{8E625C7F-7330-642D-0A01-00000000CC02}6483492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:09.102{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEC31B9A77487BA4E0BFADEBF5F2C1B,SHA256=0069DA376E11DE9EFE6F08045F795C523C3DE70EA2FF0EBE93E8DB59778BB145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.656{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3275055A56E3E2482A73C9F3D0EAE8C,SHA256=71D2F0CF0642CE2933AB558832C2E60E31FF8FA5FA1AC80347FA0FC463D7FB53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.641{8E625C7F-7332-642D-0C01-00000000CC02}19163388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7332-642D-0C01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-7332-642D-0C01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.484{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7332-642D-0C01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:10.485{8E625C7F-7332-642D-0C01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:08.033{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63897-false10.0.1.12-8000- 23542300x8000000000000000272535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:10.196{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0D9F6EB71B453C3DEAA99A85DE44B1,SHA256=E7DC2F1B8DAD664E979D5F97E5F573F30F540203880FAE185FACA81BB4DC3ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:10.165{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:11.922{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D08FE7053F69615F000F9ABAF079134,SHA256=517C5A62042797B590A4265A2231F6CB34907EDBF196E9C4393AA4800FF42827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:11.703{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B1B6691487669E42575188E67B40C22,SHA256=BF6ACFDB2DE0F33260BC4D4305A243B5169BC183F80867BD947C00FA97035342,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:09.017{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63898-false10.0.1.12-8089- 23542300x8000000000000000272537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:11.290{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC81CA238F0E2355B1EE9194470C031,SHA256=CC67F6D7F39CF7A9E3FBB453EAAAD780AEB7FB26898C867D3EAF75553D1DBE7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7334-642D-0D01-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-7334-642D-0D01-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7334-642D-0D01-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:12.344{8E625C7F-7334-642D-0D01-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:12.384{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360A441DE670B3E147E375A90399D1D7,SHA256=45460F808D670C41CC9E26CE716FBFF5845EFDC132C33C50B5CDCE59882403A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:11.116{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49863-false10.0.1.12-8000- 23542300x8000000000000000209347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:13.016{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C675D52D49589BE61AF556612DFDB845,SHA256=D450191902C6726916975C71513A819DF064ACD3F418CE21D828C9EF41FA7681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:13.587{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C6DB8E4411DB1123FD7DC55FE7A84C,SHA256=A04CE4DBCC9C981A10ED9A842185C6FE369A37694F6798DBBDA5C0077D041B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:14.620{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-013MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:14.109{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68B5463343759FD9BFA53C826B61AD1,SHA256=B0E0006A9E7C5609236C6B17CBDC122953FF432EB5996EFA7E89AC5E77911640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:14.899{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C073D4751948684A23E55ADD8F91B477,SHA256=9AEA1C4BB197FC933448C171F7366296BE1AADA005FDEDCB74AEBE8E0D7B8C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:15.626{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:15.187{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10420C81688299A073814958A29750BF,SHA256=15DE84E4E88245C14E1A618A516C24DD76C8319324BC30BB227A778124BC238D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:16.500{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA39ABEB9C8D126717F86FA492EE469E,SHA256=249513305B54B255E5C827B44413BCE4014BD51DF555B5A3BD393AE45521871C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:13.939{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63899-false10.0.1.12-8000- 23542300x8000000000000000272542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:16.103{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430741062A0190BBCED515DAA449D7EC,SHA256=4D52B348C0227F42D94D6967158617F9D0D8730383C9296AB2CC79BC4A3EE522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:17.594{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13E59E7E57CC1C336689761A6E2EB21,SHA256=3ACE10ECDC2E7212639875FCD82A876B74AA33CFC264907AB045D338D5A24B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:17.196{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA5D85A2C17E1903F706448200E6A76,SHA256=88516C761E59DEB4FBC8527F2840548D0EAE40171338E9AB770059BA1B00502A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:18.907{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E6ECCDB15B22C4736AE448DDC268EA,SHA256=6893D7B08D6662012C20C717FCCAE39B496847E2D800D4F84D3125216F0F7C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:17.054{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49864-false10.0.1.12-8000- 23542300x8000000000000000272545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:18.290{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B9DDA786204AC99282260E0265F56B,SHA256=2D71382F8581074A30E3F4F425C630F0F923E111DD20294E136E7A22FC722464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:19.493{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FB43EF7CDBF6000DF8A45501E8C4F9,SHA256=31063A93EE754B938F654F3B6A042765B02515A4532D8AD7495A8887372F4521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:20.219{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FAE3244BD7125A9017638E33A54D52,SHA256=905C76D5FAC2DDAB353FB1E2316E067F5E69CFBFC3E36B70D8E29B005BB34E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:20.587{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E3F39235F0D41D38DD9A35D2BE62ED,SHA256=F98E5400D85DAAF5565B3F20FD199C7812586D38E718C8F2678910A92F625421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:21.313{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C8ECB3E85EF55D51425B1E25715EA,SHA256=B4CF3C35F79A14048726CBF178C59B24AED6EFFCAB2CEB2FEB0C689B06D1F1DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:19.064{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63900-false10.0.1.12-8000- 23542300x8000000000000000272548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:21.790{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB23B093D03E01C8CE5B6259032B9542,SHA256=03F7349B1EBC28CFFEFF6984A4098A52ED636C155143646E9EF5F66F22EEE331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:22.407{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137FDC36A0B131632B894A41E87EF6AC,SHA256=89746FD0E5FCED0F29BE67A18A237E60EE2BF731E8A912B3394C6A22FCA7EFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:23.500{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA55F278A9909C7C467B3D59E77C097A,SHA256=F804351657AA58410402F7D97A1376EBB07F56C0869EE6D1F67B80F2605F6D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:22.994{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4458C3324DDDC64B73C37AC2950E992E,SHA256=3B734DDD085E0A322B240D5A62A6587DDFFB426F9F4C84558354B2079B3056D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:24.594{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215003F417ABBADADFE9FA81C83C2D6A,SHA256=C604255896D4EE421322CBCAD9D29DF11D1D36E67043FFCFDDA31012DA051D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:22.242{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49865-false10.0.1.12-8000- 10341000x8000000000000000272577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7340-642D-0F01-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-7340-642D-0F01-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.931{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7340-642D-0F01-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.932{EDA2768C-7340-642D-0F01-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.197{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D8CF4A1AB1B2111E143E27D8DC0A13,SHA256=4968ECE80AC7B75D136630DBE8ACAA1595F748C1B19F371F49D941698952A480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7340-642D-0E01-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7340-642D-0E01-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.134{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7340-642D-0E01-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.135{EDA2768C-7340-642D-0E01-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:25.688{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99EA2C275CC413F45F29F8FFEBA8A5,SHA256=D8D778577F0CC2ECF2F55B39DB563C5375AC6BC7B3170F27CF300AC141B93ED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7341-642D-1001-00000000CB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7341-642D-1001-00000000CB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.775{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7341-642D-1001-00000000CB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.776{EDA2768C-7341-642D-1001-00000000CB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.572{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9AB301A7312F8A7DD818F605A89EBCE0,SHA256=0675A059D0BF8F64D1029DB407548E2B014097F246A1C25CDFBE67FEE4DBF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.291{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70D61DD599FE2443012ED1156BBD9DE,SHA256=0F1FF9255A2BA43E8E116BE240185CCF094404E6636BC9AFD4C8FB183AC6C6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.212{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FE7AA17657FC62DBE6695F4980720C,SHA256=27515947EDE52314305AEAC08CDB1CC52EC65CEA92887042FE7B3CA59AF3C8DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:25.119{EDA2768C-7340-642D-0F01-00000000CB02}22121336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:26.891{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F3748F798BDB5DD883F6E2B060305C,SHA256=35CCD4C98A2A63E6F031A4F55B009B89F477AADF76671DCE8AFB05256A5EA49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:26.400{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08252741B3DF18300F7413BCCAC2249B,SHA256=3F5FCE6D0D10B6C3EAB89059238F5D401E0E40188D1981BE40D4579F20C280A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:27.985{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCB29E60A2E0F79567679857A77EBAF,SHA256=4FC9570475E7EB3F926F0578D9280326B86122462B8B1CD6585ED42DFBCE5D05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7343-642D-1101-00000000CB02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7343-642D-1101-00000000CB02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.900{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7343-642D-1101-00000000CB02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.901{EDA2768C-7343-642D-1101-00000000CB02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:27.713{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA58642899EE5B66591B742825CF8969,SHA256=7C24924C906A3427EA82431F1FECB1F6D759F16B8D5DB10B313E1AFEE13FC143,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.658{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63901-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.658{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63901-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000272628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.853{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90454EFEF05237EE8BA694AF76CCE06F,SHA256=0D57DFE53D41AB30D9961BE81F08168D3B35CA72F16A7A664C748CAF08192D88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.572{EDA2768C-7344-642D-1201-00000000CB02}428220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000272626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:24.970{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63902-false10.0.1.12-8000- 10341000x8000000000000000272625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7344-642D-1201-00000000CB02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7344-642D-1201-00000000CB02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.400{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7344-642D-1201-00000000CB02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.401{EDA2768C-7344-642D-1201-00000000CB02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:28.119{EDA2768C-7343-642D-1101-00000000CB02}36403716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:28.211{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49866-false10.0.1.12-8000- 23542300x8000000000000000209366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:29.078{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEDA821E8C01087FBF0C66B3E606C44,SHA256=F519A389F6D2367A01A1FC98B0C522E5087D8598ED61DCC4C0871268AB3BC184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.916{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE72CDAB891330C1FC33A85C470104EB,SHA256=A8F9AA392D194101269F779574DD8DA895ED3B1954BEAFEA3A1CD7EF009746AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.260{EDA2768C-7345-642D-1301-00000000CB02}33004076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7345-642D-1301-00000000CB02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7345-642D-1301-00000000CB02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.072{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7345-642D-1301-00000000CB02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.073{EDA2768C-7345-642D-1301-00000000CB02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:30.172{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38A0D207AF5A64BDFF2359838982290,SHA256=A679DB8CA92687D0501DF81757C9E29742CEAA2D2D8CA1C99B06EF4F34A15C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:31.266{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B8350EEED539412FAC9A4FED39CFFB,SHA256=BA6E0EF090E51BBBDD58468BC5ADF06A7BA51F0394FC0AC53940CDFD569548F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.119{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760EECA4D5308030C554C5ACB0D2835F,SHA256=0A707C6F166EF076E1B5AD0B3B835E49F6A6DC812E56BC971827D5CF43D4B847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7347-642D-1401-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-7347-642D-1401-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.088{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7347-642D-1401-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:31.089{EDA2768C-7347-642D-1401-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:32.375{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B329694A1F9FAD8EF191124A8C820EAE,SHA256=3559F97ECACD023FC994FFFADB4F90FA74490DC1CF29CDB103CA9E95E2ACD3B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:29.986{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63903-false10.0.1.12-8000- 23542300x8000000000000000272659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:32.213{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB782902C74DE23A07C37A4B7CCE883A,SHA256=A525028CB57822806F10DA2906C345C39017B1C3659A7D5A0043EDA305F9FD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:32.182{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8FDCB1D3D6EF93274DE9B4DF80F4B3,SHA256=0280C5873AB5DCD6FAC7FB3AD74FB1B0C47763C0C6A6E5551D5DE13CB5F85861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:33.469{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CFAD775EB44756FB3E321E3EA928B7,SHA256=FB10B264B66E23E9D30D64D8336A63BED9908D61BA26F5F1DD68A9F1BD7CECC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:33.788{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-013MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:33.410{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C46CD1F5E1B30AD41E06485BA19323,SHA256=0DED01EBDA6B8AEF6723B83722EF24FA2E2A827C57832FC1EEDADB9C3580D704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:34.563{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62E7C14FE223030D7F003C9D3D15BB7,SHA256=01D1F39767A2AEE49E52AFE7388F587536935E7C8187C2860E4A1061AAF98450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:34.794{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:34.496{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B093D17314F90BE3CB5A88E9973B12,SHA256=DF3BA944B0DAA034E3AE1F17EBA6E54D5A330BCC6203C45896C74A044D8D7EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:35.656{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B572B9C914BE99E90179A8F363EF86F,SHA256=FE74EA3C05C6A3DB98645A63E50A5D67F2AC53560CD353F46F497844E3D6FFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:35.683{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBA9596FD91C08BD2F35B27B3570A86,SHA256=25376B9CA3ACE3C4B789C7C5F24440714772C6151E601BCAEE6469920503C45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:36.860{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300AE031C64850A4C52894D7E4537143,SHA256=FB30DA72DECB4BFE4CB7484F6B702DACB5A27427C3C6618970ECCB669C0AF044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:36.563{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E513B1EA245EE4AA544AA97A140D5F4E,SHA256=93E885D40AF89AB11381FAFC75938AF9DBDADE8ED2D7903568A253DD622A82C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:36.777{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41E12B1D94346F79D575A669EDEACB8,SHA256=85319A7198A2BD0C50A2CD411E787D74696B2C1F61DA8CED3FBC2539A8DB94F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:34.179{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49867-false10.0.1.12-8000- 23542300x8000000000000000272667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:37.870{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F297408623FBC9FFDA228A8658DC66,SHA256=D3B31D9D8D0061A0D5334022FE48F3AEA303228C524632586836A4E192E2E100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:38.063{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11C1A119FC061BE74B464345BF277F9,SHA256=33D96238B38C792DA896099C78CFA4823948E841F62DF1A7EEC4380CDD593BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:38.964{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32C43CC17407AB7CCC745B081EDC557,SHA256=24BFA1D23DD3483808AB5FBE1F4B3F6A618DB1CA420A1D8332BA62E23E73ED74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:39.156{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4980C9451AD77D061D7AFCB21CF56B,SHA256=3FDFA8D5714EDD03AA040E37E12441F04BEDD9E946FBC0C320F3CD179B663281,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:35.987{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63904-false10.0.1.12-8000- 354300x8000000000000000209380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:39.195{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49868-false10.0.1.12-8000- 23542300x8000000000000000209379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:40.250{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72C3C7A0B4FBFF071CC94837E6C7585,SHA256=BD30FC97BC03781C95973C8A124DC5D9FA5C42BF47E16477E0D630C31D9DFD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:40.167{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E34CEF93B940FD54EE87CC3723EFAB,SHA256=90A33CA3D3E6F4079AFA732AAE6C10937BD2F3FDB7A06C0923B8FE0C2FC0E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:41.453{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5690F17D3A0F5B775F2CF36DB32F46A7,SHA256=A2F89B953649959059E2698A1D29FAA49573D10E526D574D5EC5249EEA11EC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:41.371{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2D2A6BB2C7154B1D39883E06B154EC,SHA256=97627C07296F349E8ECF5B7F699703A12384261C1C44A97CB32FEF9B8F9AA093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:42.656{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584059DDDB0B755C9DEFE631F8F1FEAA,SHA256=36EDB461D50863B75C19C23E9FFC3382DA38CA54A56C023AEC59DE23A9872B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:42.464{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028AF9076C4D11EFD82ABF8ED959B9B0,SHA256=7B5AD3772CC481901667BAAE64134EB6152B60F5C1B3F33E44A860FD1E0F33DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:43.750{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B6261DD472A34D89CB5B30784328A4,SHA256=185CE95C7DECC8C2BA94E99F6A4FD95EC87A9ED36D4F42A77BB75498340DB8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:43.558{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658EEEE7985E96D013030931E078A6D7,SHA256=FAE472C7E3870446C4AEE21892535FEF63EEEBE7F6B5FB9E7AFFF461F0C815B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:44.761{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420202613180AFF93EA1CAAC05737867,SHA256=BA9974548DFAA25863F817E293FFCB4C256A17735DC83F103E38D08F38325827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:45.063{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861886915CC1C3A45DFDB2B4C7FF6EE8,SHA256=B8FF5BCCE419766E5353C63385FAE073399E359C9A43D8A4EE7E446429B7908D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:41.940{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63905-false10.0.1.12-8000- 23542300x8000000000000000209386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:46.375{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0741E81EE564FECD5249961802A6F138,SHA256=3E8B1CB47980B5EB006D3CCC8BC18663D6259FFBFB794B4217DBB290F89018E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:45.023{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49869-false10.0.1.12-8000- 23542300x8000000000000000272676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:46.074{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08338B8DE442870E7F150E910493DFF,SHA256=FC4E9F7A08E6987AEF2FA983DBD5D08347AA5B6E66A5F29A96D99C00272E4C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:47.359{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AB6625A76E02F39DF39F5C91082379,SHA256=8F37D3079B11AF039DDFB49D1AA516A5AC3BA38173A4628859FC376895CBE175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:47.277{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E16D6ABCEF9E19D8865808786CBAE1,SHA256=DB4B76401C92DED9B6B8219DA5CAE9A605FFF518DFD79B67B47058FB9C47656F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:48.672{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A3B78FBC9B6CC18F74D83D9B476A5E,SHA256=0641BEB948C804D23FBD542EB29AD79938FBD912C832F4F5E5E941A5250DEB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:48.371{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA317825E2296B1768F41C33B0DAE3F0,SHA256=6F94A9EC3265FBEC871DDEE997DD47B22D2EAF06C32494E13BF09D9769BEC764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:49.766{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778E75EA853C73AD48667F12C9857317,SHA256=F746C4744530C6EF5C1BCE5B4BE46058FF83C5E4656A5B57946B70083F8A18BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:49.465{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D208FD9C484B6E3EBF00319310413C6,SHA256=04221B8DD50BC3C4494220EAAD45C72635B9C7CA245727D70B9D642F360ADBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:47.096{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63906-false10.0.1.12-8000- 23542300x8000000000000000209390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:50.969{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45108E13C02BC3DD00625F98B8D02D66,SHA256=594CE914896AB22F3B9FDB5B789818E343C8E8091C7FF023F85BEECAA7B8A339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:50.574{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D1774DE84E720568F9A77527D9BD05,SHA256=96E7E58C3EA65E7E4F57AC457BF6561D257825C24F283F8BDE0F8EBF1FA051CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:51.668{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059BF25F179647A1B40921BCB63125DB,SHA256=D26B4403698669B4F8B6ABAB15B34526023B389942B42E5F5E1FCB8F08021013,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000209394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:10:52.734{8E625C7F-6FD8-642D-1500-00000000CC02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967c0-0x0ca03c4b) 354300x8000000000000000209393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:51.054{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49870-false10.0.1.12-8000- 23542300x8000000000000000209392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:52.453{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5B9451D63A63C8178C60F3EA46A99E60,SHA256=C9CD1CFD3255A474A8E30CE50633CBB86D67806E956EA1F6B6D771A4A748C8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:52.062{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D213E71DF171A958EEECB2CD9E4FDF,SHA256=311606B6D52037AE65C270B9D0ABD0F3536E693DDD45250F45B2DF83F3EF9E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:52.762{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EFA43FC20CCB9F3C920328CA07B8C0,SHA256=F500C09CD6F2A57701BC97F4E08BA61D897575A627C6838F64F2369049EEB2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:53.828{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4F8D37624FED018FABD9C041B22FE8AB,SHA256=7AAE75E526FE723CB6AE97D54717CA4840CF064D6C452ED891E24FC081008E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:53.156{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF188814ABD2A85EBE9F2AF8693C514C,SHA256=D654D328B892CC507B15B4F55757374C83300AB2AB6F92706B2E2741B3874819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:53.965{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417AB81BDC140BE311D61ADF89D2E370,SHA256=A85C465E9310F7E9FE1C1EAD70F7407DF5C472B9429D915AE3345DE123A3421D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:52.710{8E625C7F-6FD8-642D-1500-00000000CC02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000209397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:54.253{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FB574943B0161A5E0F53562A71C57F,SHA256=201E50D89B9B1617B2486E1C8D6D0A7428421ED715566605AE84CAE0B9109469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:55.363{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAD68D9D4054D5A83F10FB60879FA3D,SHA256=85122A58F3D9C0EAC110FA46F3ADDB5737449E7A65DC2723836CF210431D9752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:55.840{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=895CADB9E3E6D6FC3EE7D3ADC9BA7CB2,SHA256=5512AF6B6385E22D648F184FF79F5A0AE63E57C8EABBD0DF94A04632525DBA32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:53.065{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63907-false10.0.1.12-8000- 23542300x8000000000000000272685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:55.168{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E14E442B24D775B898A1FA248C407F,SHA256=32346C1DA1ED998FFB3B2621AD1CCE6E8F885BCFE7FE7965C93A1ED84CD4370F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:54.816{8E625C7F-6FDA-642D-3A00-00000000CC02}396C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49871-false169.254.169.254-80http 354300x8000000000000000209401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:54.585{8E625C7F-6FD8-642D-1600-00000000CC02}1200C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:f800:83db:789:ffff-56995-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000209400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:56.467{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D1AD9C2105EE135975FA9BFD3178E9,SHA256=43023BFC58C1E57024ADEB3180BF92E3A67FC487489AE0863A606B0E1614FE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:56.793{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AA4D69A1ED44B260C54382851D7E2DF6,SHA256=DCF1BE3F76FB85FF2612FD7316E0392D11435E980975424C57283DCEB34979C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:56.371{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56671061F73D9EF1646D1947B1F4C7E0,SHA256=EFEB360AF9EB42E881CEDD7494C1D56F143301169EBD7A0E8799205BDD809907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:57.793{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857DA2A104CB58F84FD07C1AF4D8D6A7,SHA256=DFB737DA93018F53CD0BC02A512E477C15D2211BDB3C400ED01330917AD750E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:56.106{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49872-false10.0.1.12-8000- 23542300x8000000000000000272691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:57.575{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A590C64ED64714F433AD28975ED514,SHA256=768494F49084CC90F4B343EB65939E33D3342A5DB0F681F7A533537D4195284B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:54.718{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56995- 23542300x8000000000000000209405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:10:58.897{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6677E54111730DF11C49AF1D018914D4,SHA256=6D26E558A8F914F5977A68241A9DEBFB982254BFAE6428BCF30FA1961BE169F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:58.668{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD654C9D94FD4C9327306409076FEAA8,SHA256=E27FDB53ADF4F8AA13F3DF9E55700F455A0BB4B0B2B166B56791128C1A8C9BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:58.309{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AE19C754A78EB4F54F40291E71AA305F,SHA256=8998B91B20842E8B78D65BBCA26F0DE82BE97F488CA5C4E892B9CDFA3DED67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:59.762{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4373BFAC387A98E33329AF4D226D808,SHA256=70F751FC919FB644913C36EB8F460F06E6DF143F286E23604E366A49A7C11518,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000272702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000dde6a) 13241300x8000000000000000272701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d967b7-0xaeac09a1) 13241300x8000000000000000272700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d967c0-0x107071a1) 13241300x8000000000000000272699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d967c8-0x7234d9a1) 13241300x8000000000000000272698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000272697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000dde6a) 13241300x8000000000000000272696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d967b7-0xaeac09a1) 13241300x8000000000000000272695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d967c0-0x107071a1) 13241300x8000000000000000272694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:10:59.325{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d967c8-0x7234d9a1) 23542300x8000000000000000209406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:00.001{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC7ECE8037F2E0BD646D10D3CB2F691,SHA256=4378DC8BFD0C0FEDB98897CF1BCBC7B46645596558B1209AC7806B83FF02E83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:00.856{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FA15F21FDF93AF81B8583BC9682C4F,SHA256=AEF66C4437E7F23760B1FF296F2A2CA4336EC3A72AC9794CFE1D55EB4491870E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:01.105{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5A92D17D10F8AB3269921F66582DC0,SHA256=2441F8F612C77E5553C4554FDA17911038ED36EDB5E6B17F3921F3C4B397719A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:01.950{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19408359E9A7434668D60112C037F453,SHA256=E9AE981DDFCC432B2A8DF2AC3DE13BE3D2145A9910CAD6F00E1F56EF69F4E804,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:10:59.065{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63908-false10.0.1.12-8000- 23542300x8000000000000000209408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:02.209{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DAC8FEB80A8C18E46721CF78901A02,SHA256=7B1F7740843F1E79E0891881F1B3ACCB35CDCC919B3359691694E57D33EA21FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:03.628{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:03.313{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E751653CAC17BB45FC546179BB3FB24D,SHA256=7E5AB6BCB07C13D947FB681EB8E335ACA07BA8173C825C59FC747B9C139447B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:03.044{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96899664486DDDCC38C74D9549D3F7BF,SHA256=7897E47F068B6F45D9204783C56BDF55BED65D75C51CBDECFB819C5D0E4CF1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:04.417{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91DDA101E1FC7F448448362080A7924,SHA256=071426D6518A9D8A0CE127F4D6F6E8AC728C17F45D103360B1D882FDA9F35D44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:01.950{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49873-false10.0.1.12-8000- 23542300x8000000000000000272709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:04.356{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7716012387916D02C67AD096588229D4,SHA256=93B96D6BE83F9762295C661C7367811A42BA57B29653124873CF670F6967992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.410{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E35725D29A27907870B88DE2D901D98,SHA256=CA8C6D6C05B348ACCA9D585B222FA748F59D9EF5AA90D408776A5DF2BC9C422F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:03.513{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49874-false10.0.1.12-8089- 10341000x8000000000000000209425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7369-642D-0E01-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-7369-642D-0E01-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7369-642D-0E01-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:05.363{8E625C7F-7369-642D-0E01-00000000CC02}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:05.450{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F848355F3FBF6311D66E4888AD7A36F,SHA256=EC1358C1F480BAB06981AC5BA0A0F0B5EE84B8F2DE4990732B683CCD55C6840F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.655{8E625C7F-736A-642D-0F01-00000000CC02}39563756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.514{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FA53F456B361B679022C3EAB6B9D6B,SHA256=2A3A057822A527B4A71F477347AF617372A855D372648629BD24A00B0F03FD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.498{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3757C3A24917012E85CE2D4EEF195479,SHA256=9D1FC398038CEBBB68C210AA74DC6A0E848C934E4090189F68B82493218F6A72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-736A-642D-0F01-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-736A-642D-0F01-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.450{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-736A-642D-0F01-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:06.451{8E625C7F-736A-642D-0F01-00000000CC02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.544{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC21E4406789F7BE5BDB7A3D26069C8,SHA256=E593876E195006E8F0F94094B9EDD4C412C450228F76CE9A959123830C4E7703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.617{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F82487817251A3C03C919A369D9A67,SHA256=E900FE04AE2DC22A0CACFBB292D8501848276D9FA32CD25C2838DF48C902A785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.100{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DBD1300CC483A6AE8B5BC86799B80B4,SHA256=1A6F45B5CD15FF106690C9C305C22C52B299A1BA1E466C72ED33DB02C9F11D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-736B-642D-1001-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-736B-642D-1001-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.018{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-736B-642D-1001-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.019{8E625C7F-736B-642D-1001-00000000CC02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:07.638{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02071F8ED11251F6E94C0E571DF30E3,SHA256=4CFD83422868C0EF8E9B71609E7AD9AC3279A3B6808FF8D175478CA075E31FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:07.592{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=74B4E13DC5A1282E8C18A27B7AA99BF1,SHA256=BFB3009D66CEFB397207E61BDB18060A1D1D5D4C54A5B56A0C14CABD4E0F9C59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:04.096{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63909-false10.0.1.12-8000- 23542300x8000000000000000209459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:08.720{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C253C49E037A583FF04921B890768264,SHA256=2274ACBB9FE1BC9ABF738F8778C90A8B4BDB6507AD2CA1ACFAC19D893660E2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:08.685{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=8C81961EE6FF5C1095F379342A261F76,SHA256=4A291B34D494C21B0E3456DC3C64CC5D10C8B712C801B7769FEA81D7F5DF2F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:08.638{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53603789D1431AF4A3767FC485D983D,SHA256=4D4C8B085563B6CFAEECA22881ACB6F53CAE33E6B8464F6F60BF95366C44C6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:08.591{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E593BC02549CB9A13C4CF8717EC7A06D,SHA256=E18A0B802D79B6B658C4A00D40C1BAD97933044802980AC0F60E5ED6715328A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:08.028{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=CC790C7B2F4D5A77994106108E15F337,SHA256=00AD519003F79EE05AF78DDAAB7A90EFAB9A6B1DD408C78E6715D8E6416E9A41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-736D-642D-1201-00000000CC02}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-736D-642D-1201-00000000CC02}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.950{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-736D-642D-1201-00000000CC02}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.951{8E625C7F-736D-642D-1201-00000000CC02}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.824{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F328D7A8C2AA150CE34CFD20B55F06A,SHA256=42C0EC2E44DB489EBEBA5B2B5F787A17E74E96363967E065F6039F951F729525,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:07.091{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49875-false10.0.1.12-8000- 10341000x8000000000000000209473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.178{8E625C7F-736D-642D-1101-00000000CC02}35642516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-736D-642D-1101-00000000CC02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-736D-642D-1101-00000000CC02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.020{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-736D-642D-1101-00000000CC02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:09.021{8E625C7F-736D-642D-1101-00000000CC02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.731{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1A068E2DDDD4A3D1656F4AA92B0211,SHA256=242377844E3C15F89C39DCBE7D7161CACB0FF4F5CE16A0AD68597EBE33B0C6C6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000272722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.403{EDA2768C-6FDA-642D-0B00-00000000CB02}648win-dc-ctus-attack-range-192.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000272721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.403{EDA2768C-6FDA-642D-0B00-00000000CB02}648win-dc-ctus-attack-range-192.attackrange.local0fe80::d58f:d9ce:a5ad:9754;C:\Windows\System32\lsass.exe 354300x8000000000000000272720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.403{EDA2768C-6FDC-642D-0D00-00000000CB02}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63910-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local135epmap 354300x8000000000000000272719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.403{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63910-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local135epmap 10341000x8000000000000000209503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.785{8E625C7F-736E-642D-1301-00000000CC02}37682788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-736E-642D-1301-00000000CC02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-736E-642D-1301-00000000CC02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-736E-642D-1301-00000000CC02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.628{8E625C7F-736E-642D-1301-00000000CC02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000209489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:10.123{8E625C7F-736D-642D-1201-00000000CC02}37124048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:10.825{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C94CD722331610934009609898BB4BE,SHA256=762AEB2E85F82B6573617FFBEE73AB8461F58C3B9A55380444B750A1B5C0B1BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.405{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63911-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local49666- 354300x8000000000000000272725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:06.405{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63911-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local49666- 23542300x8000000000000000272724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:10.185{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:11.684{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E12A6D1F19257BF2A032FAB4D700E81,SHA256=C30263619B4EA397EE0B12E30C2BC4FBF43ADC6DFA51B488CBE9F457B66F87C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:11.321{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211BF9530977D3F0F6DD54335477B9EE,SHA256=FE042E1990B6A726B0610CED73AA2871E957A7553CFB0C4CB66EFBF2DF5F0331,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.509{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63916-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.509{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63916-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.508{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63915-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.508{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63915-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.507{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63914-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.507{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63914-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.503{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63913-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.503{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63913-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.034{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63912-false10.0.1.12-8089- 23542300x8000000000000000209519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.598{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0063DD31A0742018577366EDFCB7616,SHA256=FC990D60C13F64D86C70CD9327BA8DA31643F0D8876D05C45DB62A4FA17FE7F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-7370-642D-1401-00000000CC02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-7370-642D-1401-00000000CC02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.519{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-7370-642D-1401-00000000CC02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.520{8E625C7F-7370-642D-1401-00000000CC02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000272740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.503{EDA2768C-6FDA-642D-0B00-00000000CB02}648win-dc-ctus-attack-range-192.attackrange.local0fe80::d58f:d9ce:a5ad:9754;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 354300x8000000000000000272739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.510{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63917-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:09.510{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63917-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000272737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:12.028{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD898855B9496B7B3286A7D145814A4,SHA256=48CC907A2889DBF2ACF43472F7C06C24003B9CEAB855800AE1FDBA65B06196E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:13.827{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C0DA7861117BDFE9C86021FD1BCC51,SHA256=BF875E1BAB0DE6AAE74C05F716AA3573B4F4611F551CE73F5E10C9D04825D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:13.122{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEDD0913F56C25E2403205F78E68251,SHA256=D1A06C79AF0274F304AD8E1A8CB05DB0B2826BCF95F68ABBE95812DE14D4476A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:10.096{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63918-false10.0.1.12-8000- 354300x8000000000000000209521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:12.075{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49876-false10.0.1.12-8000- 23542300x8000000000000000272743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:14.108{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEA8F37D3C3CD66E6FCCA7026E3BFDE,SHA256=A9493CA3F928E824AFCB41D40480051EA173D78798C1A221CDC454A4D04BEF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:15.040{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75AB3F258CFE00F717A21B454ADEC61,SHA256=681AB3C20CC6552B8A6A57BA143901F47A1A25CA934E5D9CE13F285E1826F758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:12.792{EDA2768C-6FEC-642D-4200-00000000CB02}3480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63919-false169.254.169.254-80http 23542300x8000000000000000272744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:15.201{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18F4547F73FCAB6264E24527B54BEE9,SHA256=30C757BDEBD7606242517DCF517100C31182D5B67EA5ACD7F35CAE74E831F308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:16.351{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-014MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:16.143{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F5D24D5914C1C446A94587BDDE868C,SHA256=E4D1817AB006114F3FE44650B13B41463AA686C1B9D059BA828FFC24CB97D614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:16.405{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9B69C194A6631042A3787A1558BEF1,SHA256=601D430D5BE865A65AD05DAB11924C11954D118E7CE5ACDBA7EA1CD5AFDB7D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:17.364{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:17.237{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF1A940AF8EB19BA6E94DCF2960B07B,SHA256=EDFDC8282E885C95C0A8D152EF95BE946BBFD763220BE821CAF591986D643713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:17.499{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800028E99DD448E54E23C2277D0D9721,SHA256=75242EE6110B41710C537B4D9BD6114B39FD4FED047D8021D5D5DD2BB49F90DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:18.355{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D385E4564B4035197CABF8A0034DFF7,SHA256=56C80347D41FA8CCC4295825DD76100313E9D21E33A60E2C8B14C0B1DE3DDC1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:18.702{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9078796A9A6A850A8F4DA4C5432396,SHA256=784FAB6EF83FF24850254E3BCB14C8E5BAA59C0FD6A03493E39C122BA2A0CF7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:15.988{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63920-false10.0.1.12-8000- 354300x8000000000000000209529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:17.878{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49877-false10.0.1.12-8000- 23542300x8000000000000000209528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:19.457{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E006E0DE26D471B415FAB949D6EFEF5C,SHA256=D9D994F8B8504E4F0D31F7EE014813DE933F52E80C864E7C796279175A21C6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:19.905{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F585C0DF99795E85C1E9055B88E60292,SHA256=5392E92CCCE690EEC06A1FB2D559B5EB06BE1786172B10FD9C840284A980FAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:20.670{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EDEE5F4339FCC343E3EAF2FF7A90F5,SHA256=829D1839BD385C900CF6B393E5CBBFE7FFF0F655440A22AF31A3634A02CD4816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:21.883{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B61AB97123D01F69E9592B72BB95697,SHA256=54BA7EDF46896007A8A23FA122F557FB30BB6D4E4147876B721F7A2474A35FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:21.217{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F773156A159DF2669BA00134F51EFA,SHA256=8CDB1AC63420667E7847C7FA53D3E98661DA4E8F75C7AF174DC6584DCD9CCFF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:22.985{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D8B02B8E9DF89B3F3C5A98A2065D86,SHA256=EA38B29A62E8CF1171EFF77785430107F38DEC61435723F7DAF65E59F7AECA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:22.311{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90BBEFE69455155D529712A1EF91DF6,SHA256=64608057A9A3D4BAC95C833B9A343C9C3702F457CDFEA2836CCD07FB05D10E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:23.624{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7705787A562EF264109D377EB58827F6,SHA256=461CA08659251A8AFDDA8267FB78025279AE07BA9B53E762FECBC24DDD6F4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:24.308{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A98A664A58F959D6BED93DE9BEC219,SHA256=0484D6DB1BEF1294DC94D0B2AF9E130C93EE3834B9851143F7BE96CB83BC5012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-737C-642D-1601-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-737C-642D-1601-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.936{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-737C-642D-1601-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.937{EDA2768C-737C-642D-1601-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.718{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C29959C7978052790B5C5C5EC85E3B,SHA256=555312A9425A93CBD2AE0763695B0DAB4D44F7A8873511294BEC90B17D506CF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-737C-642D-1501-00000000CB02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-737C-642D-1501-00000000CB02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.030{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-737C-642D-1501-00000000CB02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.031{EDA2768C-737C-642D-1501-00000000CB02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:25.411{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1250107E2E43F0C6D26240324694E24F,SHA256=071DFB558DE5DB4F71BE40289CF8ED20E6D554464CD610E872F6F883846D65B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.811{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3167B537FB8E3E47C48C725618578E,SHA256=4B1DC2159311DB4E2A93FAC79C3F41584E2FB3233FC2E865EDD5AD9ED54257E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-737D-642D-1701-00000000CB02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-737D-642D-1701-00000000CB02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.796{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-737D-642D-1701-00000000CB02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.797{EDA2768C-737D-642D-1701-00000000CB02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:21.894{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63921-false10.0.1.12-8000- 10341000x8000000000000000272782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.186{EDA2768C-737C-642D-1601-00000000CB02}22322848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:25.093{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=454AC8D9E9AE22E7F592509969901F5F,SHA256=1085B37996EC01E74A38FCE3CEF81658F899B9C0843A213EDBDAC0FC66408263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:26.513{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E07DBEA80514C1B58B929AFCB6B4FC,SHA256=82935E598A1DE84491886043A6344F22D05C24165320EED9302A257E6765BC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:26.905{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1239E3D2F6BB73B9B9460FEEEBCAB4,SHA256=C7B7B3C7D791A333393F4B9B78E18128D1CFCB2FCDDD02132C8F2BD3AF421D6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:22.863{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49878-false10.0.1.12-8000- 23542300x8000000000000000272798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:26.046{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=13E6C1BEE9E30AD445822CD1A4D8B83E,SHA256=9576F940A99221C8F493CB38BB882D183130520A5E073CD7FF8C2B706E121365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:27.615{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC1DE3AFBEE17B57975E1D70FD651E2,SHA256=2AAE2B445906D7205346D659BA58F65CA58A82189EC7DE7F0C78DEA53752E2BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-737F-642D-1801-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-737F-642D-1801-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.921{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-737F-642D-1801-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.922{EDA2768C-737F-642D-1801-00000000CB02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.660{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63922-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:24.660{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63922-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000209538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:28.717{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7D3EB8983CF6C5D9B40071BC0469A9,SHA256=61C9A07530A23E5520E6DCD7DBE1DF8BCB2B70F7A89DF6E6C49048BDAF7E8A0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.624{EDA2768C-7380-642D-1901-00000000CB02}12123196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7380-642D-1901-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7380-642D-1901-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.421{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7380-642D-1901-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.422{EDA2768C-7380-642D-1901-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.202{EDA2768C-737F-642D-1801-00000000CB02}22122112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:28.016{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B909242085B0B750CA2F9F03347C56,SHA256=C8B296460E739DE9C7610598D6B93AB782DD61E42CE8B61D86943CDC21B399E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:29.819{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC029EFB6875C3C336BCD84AAD2E1DBC,SHA256=0F31EE0859717840CC374166F80F58711D681347D8D5FE2267AB6F861B848F70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:27.020{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63923-false10.0.1.12-8000- 10341000x8000000000000000272845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.296{EDA2768C-7381-642D-1A01-00000000CB02}25923640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.218{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB475A98455875752BE026B85287EFE7,SHA256=666611D84C32E28E2635581BD473D082961FA04E7C38CF62FC68B84401340370,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7381-642D-1A01-00000000CB02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-7381-642D-1A01-00000000CB02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.093{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7381-642D-1A01-00000000CB02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:29.094{EDA2768C-7381-642D-1A01-00000000CB02}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:30.218{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307EB187B052CEE01B69C8974BFCF9B7,SHA256=124AD04B74D7AB700F785FF1529B63AC222004533DCD39D7E55EBE4AEDA156CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:30.124{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1950E7D7230BF81F3F02FB6E902820EB,SHA256=D30D16AB1B7594C99369308ECE7EB371ED0A952737F32910A4FC807CE4B9A11F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:28.722{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49879-false10.0.1.12-8000- 23542300x8000000000000000209540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:31.031{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC70F04DA5372594DCFEBB1FE4AF9AF4,SHA256=133DD6A232E6431886D5C3E178382B477875A37EC3CDBEA7B2F5154AF46DED13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.202{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EF1984515977B006EDD34CC2060701,SHA256=35C0AF678450D8574AF235009BD8925651BA71CFA4E81967F2A2564BC720FA78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-7383-642D-1B01-00000000CB02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-7383-642D-1B01-00000000CB02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.093{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-7383-642D-1B01-00000000CB02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:31.094{EDA2768C-7383-642D-1B01-00000000CB02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:32.133{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4706F66499FBF63910BA478B13D3C630,SHA256=9B5C33FC2F1CE8BDB9A1098E4C78D9B0B0A47802C65CEBFEC626710066B2D8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:32.296{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70D776A31FB3707C9F652989A7FD21,SHA256=C8970B7E146544D4A9BEBC155E86329FF8DE5062BD3F005C5A32193953C508DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:33.345{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF16AB22DB672506101E5036F4F7960,SHA256=4234BE4C17323558264C82657AA789800BB8E040F36EFD9AA30DDD10E1049CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:33.390{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D93E570B870A1C1F8D10F4CB049801,SHA256=6FCD9ECFC2A0ADB4071D20868DA4122835788FBC2987B095E6187C5759AC6983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:34.446{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C451E295CC179891B6D8AF62839F1A,SHA256=954349774939D479EF6D9163BEB09A1846F8BA1796A106BC30FB8B0948F14AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.874{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.874{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.874{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.484{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C658708C139AA43FE16E4078199DF4,SHA256=A134154BE1812B50D7347C6F391B2D825D6CF7C29464D01364776A8851A5C279,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:11:34.031{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\18D70D3F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_18D70D3F-0000-0000-0000-100000000000.XML 13241300x8000000000000000272868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:11:34.015{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DCA7089A-C3C5-4376-9F84-1410F40204D8\Config SourceDWORD (0x00000001) 13241300x8000000000000000272867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:11:34.015{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DCA7089A-C3C5-4376-9F84-1410F40204D8\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DCA7089A-C3C5-4376-9F84-1410F40204D8.XML 10341000x8000000000000000272866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.015{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.015{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:35.658{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A79B3A295AE1820C8E2FF8FB3FEEBD,SHA256=926AEAC0C46F304F788CA087F11EF6A080533AF85C5D91924BA1C6C8A1415175,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:32.941{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63925-false10.0.1.12-8000- 354300x8000000000000000272884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:32.899{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:58c1:a5f2:4ae:ffff-49828-truee000:fc:8a:d044:8ac8:eb02:b230:4c8b-5355llmnr 354300x8000000000000000272883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:32.899{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local49828-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000272882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:32.881{EDA2768C-6FDC-642D-0D00-00000000CB02}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63924-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local135epmap 354300x8000000000000000272881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:32.881{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63924-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local135epmap 10341000x8000000000000000272880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.880{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.880{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.708{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.708{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.708{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.692{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCD0F27B56420734F2DCDD8CE167719,SHA256=0A72C4AF101063207672DB813AFB9F08A2215F12E45CB2C1626589960CE4B5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:35.314{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-014MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:36.760{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213FD084542A3A3C806B698BC39948A3,SHA256=ABC33D2EB93D3E6373BF368D086FFB5AC7CA2B864AB4460D60B7F32CEDDEE619,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:33.738{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63926-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:33.738{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63926-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000272888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:36.795{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BDBEE2A9BE401437A0D0EDF90DF134,SHA256=09BA697684E1F0BA729CA902C67EB829CE7CD40250D955EF31A39EAF921EAA7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:33.768{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49880-false10.0.1.12-8000- 23542300x8000000000000000272887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:36.318{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:36.051{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E655368DBEBA6764723B69992EC8BED,SHA256=5FA27CFE541B6E7ED51029702C622D09518337F8642ACE0A7BBA98B992A82344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:37.861{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B917FA05831489E43D3E485EB9E16B16,SHA256=D7CBFB93D3EF70F028C6F69700065A2C9CDE8B28D2D3E3F159A7F050D89AE4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.571{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63927-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:34.571{EDA2768C-6FEA-642D-2E00-00000000CB02}2688C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63927-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000209548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:37.609{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7154031AAC85D196C338F6D683A798C0,SHA256=39BC74A341B1711552A820C0B26B438537B0F79B8374FE583704AF7E98DFE2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:38.963{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E30ABB4D0A4753B5B253952E7D0FBC,SHA256=434C172366CC15A18D0673DAE18BB0B2394C60172783EA9543C7FA4D4E5D8DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:38.007{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF3B0E29DC54F2E02623A2F6661D5FC,SHA256=1E31166875AA972F2402A15D5F32DA0EA5CCBDB407B0DB533B0C7D8A3CD9A66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:39.101{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334B66A7C5F3873F403F4506010998F1,SHA256=92379E2719A6EF77BEE4B9D007FF32099AFBB288BABFA6B947EFFE93071174ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:38.800{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49881-false10.0.1.12-8000- 23542300x8000000000000000209551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:40.284{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16537843B3D94B2E92E54D03AA599E8C,SHA256=229A2C252D3FC27415D42DA403D7A6C5E92063C6F7A9903C3B3E3A42B6C50141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:40.898{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:40.195{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E42CE92D3C506CAE9142CEFC64F3EE6,SHA256=E52DB363025EC3CF0587E85C58AD0D5DD44D03F70ED07C1CC7FBAE35C282D0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:41.496{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650EBEAA3F7D9BA029A022A538700A71,SHA256=C44C0CAAC2593E4E6AAA5D44F7D5CF19D02A502EB64481E514A8B004E8B09C20,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:11:41.648{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967c0-0x29c908d2) 23542300x8000000000000000272897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:41.507{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF8034BB4E8CCFADB87198962F2AE7B,SHA256=AC8100C977831A0AB87B73A2C0F63DF96E6E6839616752A346975E80D6E5A785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:42.612{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4519CA1B3E976300D39B0551A5C14212,SHA256=97F2554E701A84AC6C3260F44BA366299D4B7006D0BEEABD21CF16EDA52E7979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.851{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.851{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.851{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.851{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FD6-642D-0100-00000000CB02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97a82|C:\Windows\system32\kerberos.DLL+79da8|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000272920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.851{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.742{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:42.601{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB09B8ED947300ABA2641696C99194B,SHA256=CB42F97AC661A54F354065AE4392776CD75AB1A787A7967C38B417C7ABABC6F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:39.763{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63929-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local445microsoft-ds 354300x8000000000000000272900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:39.763{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63929-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local445microsoft-ds 354300x8000000000000000272899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:38.948{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63928-false10.0.1.12-8000- 23542300x8000000000000000209555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:43.824{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D3703AE93ACFF2753AA4019E4B5A8E,SHA256=B05D737560089743E746177EF568BD0A9BDA9D67D8AAB1DFCBA8F6D17B1EDCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:43.805{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE592DC6BCE74455697AD85085A2A9A,SHA256=01C9BFEE228C91E9C7038C8D460B1943127353434431F9DF6605057F4043A415,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:40.464{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local123ntpfalse168.61.215.74-123ntp 10341000x8000000000000000272933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:44.383{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:44.383{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000272931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:41.620{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63931-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:41.620{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63931-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:41.610{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63930-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000272928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:41.610{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63930-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000272927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:44.039{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C880C4E6E8A88C5DD7156A48A89F4FA6,SHA256=56642254555297B7B878F2717E0829ECFFE2C9C040637D7ADF402E93712BFE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:45.035{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76886DA6ECAB74A255CD0965DB693DB,SHA256=5CD06F9A1567845AA47D860F41805983BC15BC0768F1F5FBCDBDDDB7C7E2A207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:45.133{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099A01C1DC0BDBEA0B272F2A7E4D0815,SHA256=86833399A41F46AC86539481D34D46209918C529E9A0B57A9D1DC255EB624555,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:44.643{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49882-false10.0.1.12-8000- 23542300x8000000000000000209557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:46.246{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20111FA0271984329E4FADB6003D199F,SHA256=64A0E42803BD34B4F03610551F32EE973639EDD88FB0544F857420BCA3FB0CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:46.336{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA646D66A7667AFCD8FE0D50BFCFCDF,SHA256=3F0896A1852B37469654DCA9A9AE9EA58ECE2C0031EB5C55ABD3EFBB35A81352,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:43.247{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local64087- 354300x8000000000000000272935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:43.247{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local64087-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domain 23542300x8000000000000000209559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:47.567{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C796F2E6D7F2C0A3E345F8A4BDC71E,SHA256=96D55FE703B11D8ABED2EB462B0C4A7538A487C9B8A5EA0A0185D336A7B151BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:47.539{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB84903600CD9EEAE6A684EAB94AB3F,SHA256=0465682844E73E034BA887754A3A3877C655E9C267BD71F5EE4468F0685ECC4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:44.073{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63932-false10.0.1.12-8000- 23542300x8000000000000000209560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:48.668{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C45E132B7C810949C58D3D2C572BB5,SHA256=BFB3108EB364B70AC5255E8E7F19547E2E7FAD75FC7D0E0F672E3659506D5DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:48.742{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C65723A653772E974056B2E4F95166,SHA256=1915596AABC4E6E99776BB4F12EFCA22B346F29D1F189267DDEA00CA7AC58636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:49.769{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9336E3CC8DDF0FFAE6E234781D328313,SHA256=6AB0AB5CB04D1421B3832C5C088A4EE4DC1702C03726053E5656789AB67B0778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.836{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790C543CD32D40D61EA4DD8D2C63EDE7,SHA256=4190816BE852098F05C9D5A147ED9F7AB8172231F618F8F35526E9411DB48C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:50.870{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8826B558179380815C373CF87199C575,SHA256=FA4D730911E7B8DA3AA888078B7E85552754EE2AD05716F915A5D9E15F838D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:50.930{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABE4E86BF1DFD79CE2282D9D5FC1108,SHA256=2171BBD2B4114DC1EA89F542DE4CD51C2A0435F01E5A39C11D7DE8E866B6D0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:51.970{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C64A3916ADEEEA73319ED432908F93,SHA256=2EFA4BDB8F2FE364BA922F3F3267249FE52374A91E56B268F518B28222994612,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.105{EDA2768C-6FDC-642D-0D00-00000000CB02}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63933-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local135epmap 354300x8000000000000000272943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.105{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63933-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local135epmap 23542300x8000000000000000209565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:52.929{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=302116245553D5215E12743F80A22789,SHA256=06AD4C1B0B9D4AEE6DDBBBD5440FECDBF80685783BF7AF8282EFDB44BC30C1DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:49.643{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49883-false10.0.1.12-8000- 354300x8000000000000000272986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.999{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local51317- 354300x8000000000000000272985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.999{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local55634- 354300x8000000000000000272984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.998{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local54822- 354300x8000000000000000272983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.997{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local51675- 354300x8000000000000000272982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.997{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local56898- 354300x8000000000000000272981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.996{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local51865- 354300x8000000000000000272980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.994{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local55291- 354300x8000000000000000272979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.994{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local56383- 354300x8000000000000000272978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.993{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local58414- 354300x8000000000000000272977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.992{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local64736- 354300x8000000000000000272976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.991{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local58954- 354300x8000000000000000272975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.990{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local54440- 354300x8000000000000000272974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.989{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local65229- 354300x8000000000000000272973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.989{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local50627- 354300x8000000000000000272972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.987{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local65186- 354300x8000000000000000272971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.985{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53376- 354300x8000000000000000272970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.980{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local50930- 354300x8000000000000000272969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.979{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local55746- 354300x8000000000000000272968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.978{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local51524- 354300x8000000000000000272967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.977{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local55310- 354300x8000000000000000272966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.976{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local54718- 354300x8000000000000000272965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.970{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local54157- 354300x8000000000000000272964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.969{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local56654- 354300x8000000000000000272963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.968{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local59068- 354300x8000000000000000272962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.967{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local64473- 354300x8000000000000000272961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.967{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local58535- 354300x8000000000000000272960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.966{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local64087- 354300x8000000000000000272959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.965{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local57034- 354300x8000000000000000272958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.964{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local56412- 354300x8000000000000000272957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.963{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local49892- 354300x8000000000000000272956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.961{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local54011- 354300x8000000000000000272955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.960{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local51443- 354300x8000000000000000272954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.959{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local50184- 354300x8000000000000000272953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.959{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local49437- 354300x8000000000000000272952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.957{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local56025- 354300x8000000000000000272951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.957{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local56025-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domain 354300x8000000000000000272950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.957{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local58317- 354300x8000000000000000272949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.957{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local58317-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domain 354300x8000000000000000272948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.948{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63934-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local49666- 354300x8000000000000000272947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:49.948{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63934-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local49666- 23542300x8000000000000000272946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:52.117{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=549B6A6BBF2D3F18E0BFB3918D09267E,SHA256=46184F729854AFA84C3D17B5E4DEDC56D8F4CEAA3B3FCB1F1B60A1FF9BA6CFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:52.024{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EF98873F6A69A74AEEFADB650874C4,SHA256=1F41BDC7C5FA562E53E5158EB39954DA3666CFB5E4014E1B7CC6828A1F2785E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:53.071{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5105613A1519DE6C4A91B7DE2278DE,SHA256=91F181A4F59087D8261F3F8637B99CEBE85A65BB04AD57399B26E61BC1AC60C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:50.011{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63935-false10.0.1.12-8000- 354300x8000000000000000272991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:50.009{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local57329- 354300x8000000000000000272990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:50.008{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local58957- 354300x8000000000000000272989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:50.003{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local58147- 354300x8000000000000000272988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:50.003{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local58949- 23542300x8000000000000000272987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:53.164{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A13A0B36F9483FB3418A2F3D98C3A,SHA256=7F9E5228AB1111820F1B66B8BAC7447AFCF3133072E149CB9B2199607C05A848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:54.816{8E625C7F-6FD8-642D-0D00-00000000CC02}7883924C:\Windows\system32\svchost.exe{8E625C7F-6FD7-642D-0C00-00000000CC02}740C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:54.816{8E625C7F-6FD8-642D-0D00-00000000CC02}7883924C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1000-00000000CC02}932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:54.281{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1791369D325FD0B1CAF5E9108D983262,SHA256=523DA50859C0B4428673596D796AB9E52BA6DFF9A13BDD3E0C5C5CF0833F0861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:54.227{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E24D31D09E7BCE75BAF98DEE2B74F29,SHA256=E1D8D9CDA59B60A3037AAA298F71B7110D18A40AEC47BE06A6F0137D547AACE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:55.382{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92FC433BB0806835E55411E7F45D071,SHA256=632BE6A4D8AAF572B362EF3D8B4DE0D6A59A858B9527E475AF849F34C149F6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:55.321{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABDEE63C8955478A7D0FDB7B68555FE,SHA256=C5E7C76D8F6EFF8687B74372EDCC8FC7D2556D7DE003608B711A64DB669B1578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:55.242{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CD82F695E36C4CE831DC78A0E4B26F34,SHA256=8EC7329A12F834D7DD0BB6C8C21CB81D9EC7C8754D8626DBD273A94E92B4D26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:56.482{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E330E42E5A67AB0D58BF2FB12740DE83,SHA256=685F93CEFDAA548ACC20EDD130F1E4E029D10DD911B56DA39D4633DF78366D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:56.414{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B3E3FA9BD018DF0A645FBEAA0AF5A5,SHA256=B37B0D17D73F61F3540B07491B3CB5E208F6E588B427A4E0559D1C1E28872485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:57.583{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A432370159A233BE847089DC4D7C64C,SHA256=2E5544E8384C85680F02DBF2C4F0A8D6288FB501D6DAA12359FB0AD3028160AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:57.727{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096483F942BEAFCA59B415A0C1EB6AE9,SHA256=73DCC87A236E985287543B897083F80674BFCB916B3B87CCCC5C6A3A15E83AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:54.628{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49884-false10.0.1.12-8000- 23542300x8000000000000000209574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:11:58.683{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE393F1A70C7350672641AC5AB1FB0E5,SHA256=85795756EF05F88A699C9BDDAD7E62543DF207A2B4BB05B3DDA28DB6C15B4361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:58.930{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A61494275CF62DC66E12CBC79F06A20,SHA256=68517CBF14547E6A02AD2979B928496732C0E320F6AED3339589B6DD68C0D3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:58.321{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B8CDAA41C1A2D95FC62A3F8677135D44,SHA256=AC1D2048CDDD97690F5CB62A2B35C4CD8D7D0F55F8551D5E210BEE70E6126EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:58.133{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153C182860BE58A8FAA0F8FCF99CBBD6,SHA256=C7E60FCC19A7B20329CA42834B4AF3CD5F48837DA574F350B0948854B6698C30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:11:55.980{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63936-false10.0.1.12-8000- 23542300x8000000000000000209575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:00.003{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D99411AFC19AF72568734A309F8A765,SHA256=51D1149CF7A02598097E3A69E9142E753A0F83E535F6E141E3FE28B841BC4982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:00.024{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87958A4D705558DA39B28EE8C45F4EDE,SHA256=D5DD4B13BDBA382D995FEAF9B5A5E666E40052F1ED00C6917942D0C3014D3022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:00.024{EDA2768C-6FDC-642D-0D00-00000000CB02}9161080C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:00.024{EDA2768C-6FDC-642D-0D00-00000000CB02}9161080C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-0C00-00000000CB02}856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:00.024{EDA2768C-6FDC-642D-0D00-00000000CB02}9161080C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:01.103{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DB83F192A168224E0C23D0DC18908D,SHA256=7263A3F9F8A7FE506EF3166D6B1A7A2C4B410504EE271E3DDBBBE26A1B0FFB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:01.118{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CA6EACCF73257ED5FB995ABC99363C,SHA256=A961E31D79EBCDC9FE6696AA162B15DF9A727CDE6540155C56AA81A9F884D573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:00.565{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49885-false10.0.1.12-8000- 23542300x8000000000000000209577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:02.204{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2685EBB4ABDEBAD9E16A26F70722A98F,SHA256=BA01814784B89A64A8DC38D360EB9BBDF59147FF95607F5F9BF392B3972534FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:02.321{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC8710D110B0C446CFCBBCEE9A39E45,SHA256=E1DF098B8AA569BC7E272CB9C9856AD7C9384E1B441F1529D3B13D78F3E0F402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:03.524{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF561A9CD97D7F37C2A59E7C1ADFEEA0,SHA256=2C78EEB0C3B57323A39BD568350EEFA7656665473882C7D578123678043959B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:03.524{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDEE9A5779053F56C65C29E12DC1AC0,SHA256=AFBE713D58F056A8E92E9584242E6811B57AA813F62678C77DFB949EF3B859D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:04.624{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9779211D56937645EC0BE84F1A2B71E3,SHA256=BB615FE0EDC4B0DFEE2039DD49B2DF9516F10E7FDE7534B9C6D5FCE5D5A660D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:01.933{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63937-false10.0.1.12-8000- 23542300x8000000000000000273009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:04.727{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD739CEBBBE054450FC17296B2B74E0,SHA256=09AE790DB7B8CA324B9D5115A2BD2F7F8CA36E780C76A8A35BBEBEC45DC1DB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:04.089{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.944{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970EA4C6FC01405CCF636C17E72AE531,SHA256=8A2AEFFBAEDD519CFB693E3C96743DCAF8DFC8CEF1EFC0036627A3536ED9979A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:05.930{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574F050F2DEAF7AAAE1B62DF283A7EC0,SHA256=4E0EE6BDB079D7A0665E8AFD5F081B6958769DE594D1D51C84676FF93C7F9E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73A5-642D-1501-00000000CC02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-73A5-642D-1501-00000000CC02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.786{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73A5-642D-1501-00000000CC02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.787{8E625C7F-73A5-642D-1501-00000000CC02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.996{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA142AA024780B4337D2C97F8AD59C6B,SHA256=E63C47870E66F6D67A44F6BC0F1CF9B603790755A0E40470263757ECB26141BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73A6-642D-1601-00000000CC02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-73A6-642D-1601-00000000CC02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73A6-642D-1601-00000000CC02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:06.871{8E625C7F-73A6-642D-1601-00000000CC02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000209596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:03.534{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49886-false10.0.1.12-8089- 354300x8000000000000000209627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:05.597{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49887-false10.0.1.12-8000- 10341000x8000000000000000209626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73A7-642D-1701-00000000CC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-73A7-642D-1701-00000000CC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.546{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73A7-642D-1701-00000000CC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.547{8E625C7F-73A7-642D-1701-00000000CC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.059{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=194E8F489DAC983D8DCF79B34C709720,SHA256=2B68B49B27552D5C25FCDF83B797DFE8F6B070B61B5A88DD5A8E535B0B095ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.043{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86E8CBB1A802B45215C1258E70D5A86,SHA256=E7D18C603436C8FF1D452C08668C1124729FD23788B591CE961567B729E02E18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:07.043{8E625C7F-73A6-642D-1601-00000000CC02}37763560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:07.134{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CF9D8A50C9269BB5C3349ACD41BE7C,SHA256=02174282FFE049A55FCB1A89519A1FB8B8DF4D11399E818C2E155EE17B3ADD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:08.143{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62F0274996EC563853A0F4106722A91,SHA256=1D50E2CC770E474F444B0FD513433251251241108AD7659F69EF3D94E8A0E6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:08.227{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CFEA219057407FD3D240CB5FFBA7C1,SHA256=99459973D06DA224B6CBE8DE1DF42F0D7F5FA1C6573BCE5CCE4FD3536F0EADB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.557{8E625C7F-73A9-642D-1801-00000000CC02}36442660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73A9-642D-1801-00000000CC02}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD7-642D-0500-00000000CC02}4121036C:\Windows\system32\csrss.exe{8E625C7F-73A9-642D-1801-00000000CC02}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73A9-642D-1801-00000000CC02}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.385{8E625C7F-73A9-642D-1801-00000000CC02}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:09.243{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26282F8A506E82E7DE10D0EF563852F8,SHA256=8EEB8830821B2287C093245D64DF96BF6E911AF07AF388E6A477DF950AF5C681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:09.431{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4283C6C5579A8C71348CDCEDD186B90,SHA256=3093EBAD1BE989AC1D35EB9361BF90D4249A22BE0C81CF1F9A1211AF24D194E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.547{8E625C7F-73AA-642D-1901-00000000CC02}39004000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73AA-642D-1901-00000000CC02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-73AA-642D-1901-00000000CC02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.374{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73AA-642D-1901-00000000CC02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.375{8E625C7F-73AA-642D-1901-00000000CC02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.343{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00EBE780C6F7C0858D80B4F3BC439A2,SHA256=D50CBA8A8FFD2B53090FC739B9B130C48306F5D9B0C833714B6B10E307534A24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:07.933{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63938-false10.0.1.12-8000- 23542300x8000000000000000273016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:10.524{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C6F7774E3EDBB7C5FF15A8D26170A6,SHA256=DEC7431E18E30E2CD4E009F66C34D0841EA51258C318D23A9198175B845188F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:10.212{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.678{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6509DCDA69E60F096148712E81A6DF7,SHA256=5642E1F0586699CFD52AFD05A761B93ED24C966025A509D55D9AF21C5BF1FCFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:09.058{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63939-false10.0.1.12-8089- 23542300x8000000000000000273018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:11.618{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5510BF205FD4679266244584AAD66803,SHA256=D79A2B32A3AC2D799CB28B170BD2CA1C92B43BA86CCBE23C2E0F6AA0D2899F48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.207{8E625C7F-73AB-642D-1A01-00000000CC02}38522976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73AB-642D-1A01-00000000CC02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-73AB-642D-1A01-00000000CC02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73AB-642D-1A01-00000000CC02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:11.050{8E625C7F-73AB-642D-1A01-00000000CC02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000209688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73AC-642D-1B01-00000000CC02}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-73AC-642D-1B01-00000000CC02}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.919{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73AC-642D-1B01-00000000CC02}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.920{8E625C7F-73AC-642D-1B01-00000000CC02}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.778{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1C9D4444B475A12F4C539F111D4980,SHA256=9266FABF395B9922C62B43DF927DB57AC2CE11B688A31102858968F5F6ADBF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:12.728{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B629A27E52BD7D69EB1CFC0A38C12B,SHA256=D3D761B1AA3E94B03272295D8189EF97E9997D4DEB20DC6F68F780B79E23A737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:12.165{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1994155FA5F27AB3A9B71ED48BE445B7,SHA256=9A7101D695DEFD3EA3346485995421888EC555FDEEC3FA9CD05835F554B8A443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:13.877{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3D2A1CC6A366282591AC3710A1E9B9,SHA256=2C1915C604F90442973C331C35BB88AEEF944935B3ED53CE637344FC77714B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:13.931{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F98EE870FE7E3F753EC462FB62EA00,SHA256=AC4A3D5DB22EC1F3BCCAFD5EE00565CC03B8C546CC660656F4C39A4FB65D3044,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:10.597{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49888-false10.0.1.12-8000- 23542300x8000000000000000209691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:14.977{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86372F0D0E1ABC3A0DD386723DFD7D3B,SHA256=2A12AED8CEDEBA30497AE31B96AED911F7FA64A2839319DC79B9B5CF911B0B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:15.025{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B354D613CB4730045D14360FC2530B74,SHA256=FBD2D05EF5B8FCBFA5768BEEED06E3D2DC20B770A2D16B2203688542D8F046DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:16.076{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FD264BC4D895C9FADECBD63CFEF524,SHA256=DA324D207FCF9BD250252D39C2027156295062AD11D57A069A9462F456BCF113,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:13.059{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63940-false10.0.1.12-8000- 23542300x8000000000000000273023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:16.228{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251415623D752EBBE931B3DD76B93824,SHA256=1A774435D33C085238B3DC4777B7B97B3C7496D59F3469C2FFB73FE76156C766,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:15.581{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49889-false10.0.1.12-8000- 23542300x8000000000000000209693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:17.286{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6029515BFC8A154FA9CFBF5B0EF8670E,SHA256=ABB92F5E8FC136859087709A630040E019A4B8A64C0A06CC477403B29A5DAD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:17.322{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10FBD22D3F53D679697DFB43D5382C0,SHA256=1EEAD226F03C566E240CAECF2FF2D8530F1D0EAC91D14656A3F66A4E3E7ADF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:18.383{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C982B7DC858A19A4A5C64E834D864B81,SHA256=FB8C528C52A558A5CF5D290DD24E3050D92CBBEDFA930017F42EA427DD6DAABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:18.525{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4649E2C8679D5FB6542025D6452D8E9C,SHA256=F723A1C726346F5BA7FDA39C9A57F159C290967B30212F8D7FB3E8690AE92798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:18.285{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-015MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:19.486{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C520230220E8256C3BBC21F259ED4F3,SHA256=5031EA4AC0C53B088C85CA79765D062FE316266A6A97ADAE8654459BC0154C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:19.728{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B72E277DA959E0DEE26ED03AE83D1C0,SHA256=A46B11264178CADA4ADB9854FB07E23940FE13BBCF300A80F8FBCEE27EF3765B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:19.295{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:20.594{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A8BF6F2856242378BC34E9FCCE30BC,SHA256=B0D725EA47611E7C25462ABC7404E03F0CF01A1ECDDE7F51A4A1399E8580C2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:20.822{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FDC28B643CA67777E90A684E09836C,SHA256=87694AC7F558785426F55B844453B07922E83069A49F10B5D67F16BE8C2CAC61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:17.983{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local138netbios-dgm 354300x8000000000000000273028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:17.983{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000209700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:21.693{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6503D136F984FBB0F744AE91DC0DE37,SHA256=FB5D48D0BDFA1A2BF46D5BF90BCB0A679587E2EC7E5575173A450DE7A820AE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:21.916{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C1868CDC28AD4E690553BA87B5BB03,SHA256=46AE4B44B9E5DB17988CB0C6C0BF66475DBFA134E552DC1DA81EB60A97C586BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:19.042{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63941-false10.0.1.12-8000- 23542300x8000000000000000209701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:22.792{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03BCCAD91086B068AB85E5049639EC8,SHA256=514E126BEF5826D3FA233854918D99819715CBBB7E81EE0C3B55372DCC9C041C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:20.559{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49890-false10.0.1.12-8000- 23542300x8000000000000000273033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:23.009{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C13FE2ACC3EB6306BD8A7EAEA3F8FF5,SHA256=E1D59EBEAD76FE41DE84632291C88CAA7224F3721E5138ABA745B0F260CB084A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:24.001{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F123A8399A2AFEC56E3510E3DF2DC253,SHA256=BA912DFED6BC30CA9A4CBF91BA61EC26800ACA8585E1E0DABED8F5B45720FA17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73B8-642D-1D01-00000000CB02}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-73B8-642D-1D01-00000000CB02}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.931{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73B8-642D-1D01-00000000CB02}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.932{EDA2768C-73B8-642D-1D01-00000000CB02}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.103{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCFABCDCC82913CC7B752C018B9E2A9,SHA256=095E805BA824EE039565FAC55E03FC36B4297E52CA866D38291615D00DA70F1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73B8-642D-1C01-00000000CB02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-73B8-642D-1C01-00000000CB02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73B8-642D-1C01-00000000CB02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.041{EDA2768C-73B8-642D-1C01-00000000CB02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:25.210{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CD583E59845CBDFDBDDDCC31BDC275,SHA256=B169125E03F8189FCF071F855B071FC7BF3C556197E27ADAB3E1B7E710507A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73B9-642D-1E01-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-73B9-642D-1E01-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.806{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73B9-642D-1E01-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.807{EDA2768C-73B9-642D-1E01-00000000CB02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.588{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705FD4B30646643B0C42BADBDF6D5405,SHA256=73D646E70C6B2683ED8AAEBD037A4B6D7587C7CD3F6A70A696F3570CDCA8CA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.588{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEE63DF961FA0B81D82E475F4057E0B,SHA256=8C8C1BA36881D48CD0D22EC55E16E521CFE281799C15DCF0E33514E5604656CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.463{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB62EBA1C60944582E7E4B0B59EABCC7,SHA256=B521CBB2E333609455B557B198105CEAE1285B7D948BFE573BC968E2B0F6115E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.119{EDA2768C-73B8-642D-1D01-00000000CB02}23043752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:26.309{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177476714DE279356514209DB6F52A6B,SHA256=1571BAFE5AD10893C5311B460AD871F9A1EB70F4AC87128F0FBDEAD0B5630AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:26.197{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED44F04BA8384C2F9F298AC716FF6A0D,SHA256=99EA93A09D9FCF658849F7970A633F4CB7B5B4E8892947EDC9896C0DAAEE80A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:27.408{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F889FE4DC0B8B8E36C25EF0EA5CD0B0C,SHA256=A9009B1347B733094EEDF2F54C3BAB54C52B24B9C2F4C62FEFD88E9901CA5575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73BB-642D-1F01-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-73BB-642D-1F01-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.916{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73BB-642D-1F01-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.917{EDA2768C-73BB-642D-1F01-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.667{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63942-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000273080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:24.667{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63942-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000273079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:27.400{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C94D8CE2BC84AAA85A74DDA8186BC4,SHA256=C831C9EDF1823444E583CCE311A4A6C7369B3B735E520469BAAC0C35F01F11CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:28.507{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C32113188C3D1C3900A4D466974324,SHA256=531385A6D420D1633B0F8F840FDB46B0C744FF133D149B84C3568F0A8A22684C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.728{EDA2768C-73BC-642D-2001-00000000CB02}35562212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73BC-642D-2001-00000000CB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-73BC-642D-2001-00000000CB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.556{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73BC-642D-2001-00000000CB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.558{EDA2768C-73BC-642D-2001-00000000CB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.494{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A3E4F68DB1967FA93853CEE0518D01,SHA256=75E5F43C17663D721CF8CB06FF377ECA68E6DDED0C77DA2EE8DEA37F1B8E80A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:25.011{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63943-false10.0.1.12-8000- 354300x8000000000000000209707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:25.590{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49891-false10.0.1.12-8000- 10341000x8000000000000000273095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:28.119{EDA2768C-73BB-642D-1F01-00000000CB02}37443920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:29.716{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B831DF5592269228D2A156D93FEB7AB8,SHA256=5D764600AB1538C65BBEE71D5263C25C6229BA489716F3AA08B591EDB0DA5FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.791{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448B2FF9D470DBA3CF6AE98D89469DAA,SHA256=646F68CAF36F879F985ECDAC078A15A8A44CFE00BCE9D7716AB8044EFD9A6368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.533{EDA2768C-73BD-642D-2101-00000000CB02}12123052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73BD-642D-2101-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-73BD-642D-2101-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.181{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73BD-642D-2101-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:29.182{EDA2768C-73BD-642D-2101-00000000CB02}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:30.815{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00096CE3A53749032A6A7D3F94ACAA3,SHA256=BDC5DDC677CF6D10B1AC7E47F16A5C4CE1662291FA601DDC53BBB36BD395F908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:30.603{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDD9DE77BBA27E95C8D6FAAD2BFFC39,SHA256=D91D100E7C0C6D933AB02F2F67E32E2A3A490D3F9B2D1248BF35E85F47B8FB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:31.914{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A2F298A46529E8BCAD70244933F214,SHA256=366299E91B0F36F50E9FCD92352FB4E0734F052ECF16E58B2B03F9823F4D0EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.697{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAA05D97E4343C89ED1DE170803C0DD,SHA256=ACDA2C8D7BB385D9E91E8A1662E8FA22B0F7B694D5BCA31642ECE7115074A019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73BF-642D-2201-00000000CB02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-73BF-642D-2201-00000000CB02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.088{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73BF-642D-2201-00000000CB02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:31.089{EDA2768C-73BF-642D-2201-00000000CB02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:32.791{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2E3271FB593BEE1817B906CEE523A,SHA256=B4AD61EFCFE9E100819A4A3BDBA35267A401B0AFB4D3CFC71427B5475BF1362F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:32.182{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6298B965FE8B1E6E930E623FFE892EE8,SHA256=5151EFB01BBA7356D556BEA5FBF51E8F03F04F11C514FB51D49FBFB5CC0A8FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:33.885{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51747643060DE607DD221F5F3C198369,SHA256=E8F79FC074EF130D346DBE92DC506D6AE4E78659E871B1D4213E492863C800DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:31.325{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49892-false10.0.1.12-8000- 23542300x8000000000000000209712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:33.232{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7587F0CDD3DA2F9177B69A4C49CEDEE,SHA256=AF856668313A40917877B70F4049BC26EC29554E45E8413DA934E34037DDB791,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:30.933{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63944-false10.0.1.12-8000- 23542300x8000000000000000273146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:34.979{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3319ADA6E7FA0831D75EBBC08DDA1AD3,SHA256=70A0C2CF89B05F391F6EDDF06562DB8441F47939C43E94386CD592FC26BDF71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:34.441{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DF1BB35E61626DEF14F18CAF97BDAC,SHA256=4978C721B92AE4290300546A44BD916EC2E0058A5B8A35688AE3A30B096A2214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:35.539{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A033BFD987F46C59EDA074041CCDB4,SHA256=21A3B7E3175B232D6DAC77168AE142D1EBB31426FFD90F99881731FFE04D8F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:36.638{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B0901271465145CE2B9E6231796888,SHA256=0987D39B446B78EFA35DB9756D6BBF53AAAAEA9B04476525214B52F2FEBE12EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:36.833{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-015MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:36.072{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA5087ED27C02272423A697E28BDC5F,SHA256=554F1815DE503329AB54E4DC79054E22821B43D0D9A2D30718979A55924582D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:37.737{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D410E1C6D08CBF8C187B9A70200FF559,SHA256=313CC81A94DD6C94C29EF68657F46AFCFE73AEDDE0FB149440698CAD01701256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:37.838{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:37.165{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08FC848EF5540ACA5409846246EA309,SHA256=5FEEDA92717C4084E74C501D9F5919FCFDEC4F29DBE9F5CA0686E5CFAAB3112A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:37.407{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53D80A17639E404CDD8A4B0A849544CF,SHA256=8CE4B7E543D7C3CA9E83FF9E8C14B6AC08169DE493B9E12BDAAA696232F8B957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:38.835{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3510EDA6308A079EC2573D2E0A87C317,SHA256=02897E42AFF33C43EC0C4C88F2F0D6CF554BFC4B4B20714B4CF84D0A4F90CA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:38.263{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C579B9B00479F118B65ED59920FFA260,SHA256=12DD95B310DD12E4B1B66D622C61835EBE5A781993C372CAFD14153E5C771D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:39.365{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE725517D35C2B9FD17A54C9E2B592B1,SHA256=5008E8148C5B3E6B221AA9D80F168E7C58E944B4AB9FF600A26D756A2EBDF65D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:36.340{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49893-false10.0.1.12-8000- 23542300x8000000000000000273154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:40.568{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D409A3DB9EE48CE1378028404A249D,SHA256=7131BDF09F20C1BD120902D2AB6A37F6FFC8A65A5A8D896C7C7818E3B70D86C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:40.044{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1F16B641F489EFDB75C386812B8B48,SHA256=13DA79248FC04E625661BC2EADBC6B764F7EC29447121289B2C2631ADAC01DFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:36.904{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63945-false10.0.1.12-8000- 23542300x8000000000000000273155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:41.662{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF599923767D9DED68889EE380216D5,SHA256=62C2C710A6AB22A1A334112B78FB894FECBF18EC1F29746EA1D22294B41E1CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:41.142{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC64318F29A5E4139CABD998B0E7D7F,SHA256=F98614620372AEA094C9F5BC9D82FA51602F471488CBFA136F015A57DC4652AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:42.865{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB250AE154BCD96701EDDA004DD4B58F,SHA256=87B1CDC3FA921F60C03C8C20C60141CF29F43A08AF4469855266DD99D8E6F0F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:40.543{8E625C7F-6FD8-642D-1100-00000000CC02}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1c47:30fc:f5ff:fef0win-host-ctus-attack-range-176546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000209723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:42.240{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94531EEFB64435D38BDC808AAAC95CF5,SHA256=8F2D04223CF8AE86BDD22B4F27BE9D2FE4512AADDD54291415A990A11D707132,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:41.372{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49894-false10.0.1.12-8000- 23542300x8000000000000000209725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:43.339{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F634846F316BEC4CD698F6BCFE6ECD9,SHA256=46098DACD13C7FEA736E1B7933CB34FDC96C622A7A8C65C484313142E75035B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:44.547{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0109EB6F686B8B03C9049239FE051EBD,SHA256=623B3D1E8F0F2F44949FFE946A7AAA164C84439B2944204CD72A408368E02D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:44.068{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F4BE9A8BB893A926DCE5E9CC433390,SHA256=661A6A6E81B1389777D18ACDB87773314A2B33DF281ABF49BA49D2F6767852F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:45.645{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E99B8D347E451A2BD849791DC17DF5,SHA256=09A12B809055D7E6F9F7C4C6D020BC14D4D0B3960C54253116ACE5A066CEA66D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000273160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:12:45.490{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967c0-0x4fd55ac6) 354300x8000000000000000273159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:42.006{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63946-false10.0.1.12-8000- 23542300x8000000000000000273158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:45.271{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D28E07EC31054B26F396181DE9B563F,SHA256=E64738569398ACF895EA3D7C38E85F4E479EFA0AE05B2B72D86E4F68F640F6EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:46.744{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BD468BEB812025E3681F5A1370368B,SHA256=0F0EEC00D3329C97A4780CE355007810D6BB49325F1BCEA5EB573ACCF4379AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:46.365{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F417ED8EC652000E85EF5DFC04B033E8,SHA256=597F56C8EC80E3F2682B3A87D7EB5AC60BAD6F7A886004938817D9F43362C9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:47.842{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA383A0BA75B95332068751CC9837EA2,SHA256=D05E9883083E8B68F1628B5742FAD31C9426340E7C2F52ACBE5636F4D9B247C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:47.459{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AD0E4756FBDD1B584867822526C6F2,SHA256=8F93EF7578011F07149BF60BA9AF07BCC1B8315114F04369F6128DD898AE9D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:48.553{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86FCFF5796CBC9D97CE7DA1BE7F9EBF,SHA256=0F6C7134361E8EE7EF52CC09C45E3A7E4A4BFFD67C5E0A9ABD5C397F353E0C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:46.356{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49895-false10.0.1.12-8000- 23542300x8000000000000000273164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:49.865{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D1E6C62E25A1846405CE0528BBD961,SHA256=BCFB318E8F82D2B820C7D3749EBB17D154920F08F7ABB2A5944CB016BA92A46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:49.050{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E7BB64252BD078D0C0913023694217,SHA256=0F6403E36B88A8D40E996D61509F8AAAEB296187A52E427CF3C9D69DA13588E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:50.959{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66212A932940B61EA03569736C5E72D,SHA256=A31BD31068E17A7E327ED03E9FDEF5C66CB5AE7233EA02FBA2605D062E59E13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:50.148{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA502871E66BB1EA586315D5543C9F,SHA256=5BDF39729FEC789E1DE8DDD5E363998F8FBCAEFCC028815CAF24DAEF2F45D7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:48.021{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63947-false10.0.1.12-8000- 23542300x8000000000000000209734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:51.246{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FF9009EC31EDB7686B794BA9213D23,SHA256=FCFA7610FAF4C1042C9E20591032CDC6A6F63442B9253E376F0FC2FF4EA8C4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:52.564{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B084B9D350B003C5B81FE7181FCE76,SHA256=4928134E5C6B4BE2AE1B34BE34D5DB66EABB283A1B795324276F0C67520520A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:52.068{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DDE3A74D33527E0C536FF76CF898EA,SHA256=01E1C354D819304B7260B7D463E02CE765D329A13D4D7CC49EA13AF84203CCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:53.881{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8314A3BEB50EB982131052028B2287F0,SHA256=33FC231F9F9774D86FAF4970ADFB876AAB2AF0C4DEE2140038F9DE518E7BEAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:53.162{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0387AA0E71C8A91996DE071411898726,SHA256=C5B920DB9124E3EB5B06FC6A4AF82E52D5B2B9F1EE2DD5A4EF9D018F6B9004AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:53.238{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0E0AF083CD3B552C02B85ABDFA1D1D79,SHA256=44EE1BCDAF1648C537704E6B53015BF09C10217A98FD523C2ABE9CE0C1C9513B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:54.979{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C6F419B248E947BC9BF1F25B226E17,SHA256=17B42DC962B808C16C72C45CEBABAF51ADFBE4FEACCA0D957DBDBE0CB6DC8C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:54.365{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23746B67A47B38961B62054836B9E4AF,SHA256=01F79E869478854E5F5CBAC9FB1ACBFBDEDB4816F6339521C1C534CFD4059C22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:51.418{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49896-false10.0.1.12-8000- 23542300x8000000000000000273171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:55.709{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8738F6A75D0213A11D90E84DFED68976,SHA256=D9814DB0B80209D22F8E9D0BA173127A5C2292B29C185D506B332D140D9A38A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:55.568{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62713C67E2A58520CA879D39760B3CE,SHA256=71C50C0633E17FB3E24C25B53ABE8D943A908B1E0139FA5AED5911B6E667F24F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:55.826{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1300-00000000CC02}784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:55.826{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1300-00000000CC02}784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:55.826{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1300-00000000CC02}784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:56.297{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2565D6B90456D01D32EC9FE3AB277FFD,SHA256=06D361CD50FC6A5A9715BEB77A73D6F645CA85B585B3CD9AB026E25F89B70C3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:53.896{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63948-false10.0.1.12-8000- 23542300x8000000000000000273172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:56.662{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808A055FE98FC008A7F4A8E34F9E479D,SHA256=DEA9F7811C81BEE74EE96A39569989979754B6FFE41F9B7B30E4AEE5153E0365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:57.756{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71EEC69B94C567E3DF34F2CA95F8438,SHA256=36339C7AFF2B6884D66E8546811712EFE3D34F04430E442BF9AA12E151F752B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:57.614{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652FB9A97D9FBD07A038EC6315CB2958,SHA256=612CBDD8A70C69BB1CC7D6454BDFBA3C47F4D4CB3A8C2C6E75A8305A3ED51450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:58.959{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2050360E2BD1A3D54F412B3B033EACC,SHA256=BF58EA630FAE2C62CC8DA18A761A842382B249DAFEA68E986751F5E233873F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:58.712{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7ECD56F438908FD25C2BC96FDAE1EC1,SHA256=1ED059E39386E1026FF6FBB5A7D3BA305FFD0A9AE38531398A8A5AA8C15D8699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:58.334{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=164D56EBB600478A3F707BD2191325D2,SHA256=D2F9265B0805D37A5FC24D479C60B0B3A393501EE434DDCB2E93B6F8E15DD3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:59.991{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBC2FC881F93DA635712BA684648DEE,SHA256=B833BA5240AC3D91AD3A7519B7AEA997F7F9E200A50C6E21FD8693C4ACF9F1D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:59.810{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB8A4EE05586D1D36771A323CFA7748,SHA256=F11EC9A9B4657F321C48EAF4A3572B516054813BACD7B2A61AABF50CE2069F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:12:57.231{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49897-false10.0.1.12-8000- 23542300x8000000000000000209748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:00.908{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E388DDC7268674CD51DEC20474FF62FD,SHA256=C43E4C36E9B2A71D3A41C1AD9001F0B6D61B5A9D6B583FCABCE60977B8E0D0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:00.053{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D27180FEE9554B82A1E036C7981EB1,SHA256=9FD16E910392650D302C3AB2F2A7D4889123D7C02A5D8C3D0386A241E649423A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:12:59.053{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63949-false10.0.1.12-8000- 23542300x8000000000000000273179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:01.147{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F00509AD30700DF5C2DAE1CAE9624FD,SHA256=F476783A215CD71D5A53401BC2C5904271A8459D5B6BAD0EF4D1F49C0DDB5F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:02.241{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE53226E85F71FB6BCABBBAF70D90E0A,SHA256=6E2FB11B35CD80A8E5B434B8F188B59661CA6A786D9B6F4F7103434548D07A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:02.005{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F007224D6E5A809B6DBC83798F37DE,SHA256=90C0F15B6B84DA0AD39C225E1D4473D5CF76326625CC42C7180157330E3DB914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:03.334{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44D4A68121202206F3AF45F5627228E,SHA256=A62D0AE293B74C2713A5C7256DAAEC42F42B9F2DA69DF40359C26828899583B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:03.950{8E625C7F-6FD8-642D-0D00-00000000CC02}788420C:\Windows\system32\svchost.exe{8E625C7F-6FDB-642D-4500-00000000CC02}3000C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:03.103{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066EB6A02A8B9060941815456C674D9F,SHA256=B406217BA33AFBAC93FD26DD255FFCFE5E3798B199D514E70D9D61D7E0982623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:04.428{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3234A5F09A88DCB0F302846E994BEF0,SHA256=7C5A0FC8B49244D5AF446694944735B468732B8CC169D79DD3F834C28F544DA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:02.293{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49898-false10.0.1.12-8000- 23542300x8000000000000000209753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:04.389{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:04.201{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F700B28662A6DEF20768194B44633B0,SHA256=E7B49D5CCF07CED7AB025C2218FDCA0CD7BCEC9C7C4BA08F42A631E684D19888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:05.631{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9357FCE8A03DADC3C1FAE3C2FF5C2B5E,SHA256=51A191C854CFF76FF3B5874ADC349CBE2ADF1015F7F616C09CEE955CC41F7A25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:03.559{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49899-false10.0.1.12-8089- 10341000x8000000000000000209756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:05.361{8E625C7F-6FD8-642D-0D00-00000000CC02}788420C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1400-00000000CC02}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:05.299{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CB27F3D34CA46B63E5879A2D806C45,SHA256=E446787BC841B047F6DB38DA5FF0DAA074D64FDEE51A7134D3D75D6D51E7F3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.506{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C4451EB356D6B7F8DEEFA544785E14,SHA256=8D5B291ED395D859E707D0320D1244A661590C2E66D83F626FB5D4E16655BA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:06.725{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169860C6F1CFC4962AFC1381DD0ED5B2,SHA256=C27925DDA2834E1D0DABA2CA601809EC8C25C22A278A118EBAA1D860544EFFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E2-642D-1C01-00000000CC02}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-73E2-642D-1C01-00000000CC02}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.067{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E2-642D-1C01-00000000CC02}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:06.068{8E625C7F-73E2-642D-1C01-00000000CC02}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.839{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A04CDDE74D9129EA31B93748E895525C,SHA256=BBE68337EDCD0246E4574C3448C3606568E7889EC5DE7F5646E1AB8442BF4FF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E3-642D-1E01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-73E3-642D-1E01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.745{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E3-642D-1E01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.746{8E625C7F-73E3-642D-1E01-00000000CC02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.619{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D014E0321BE219778B7BB3F93378C3,SHA256=F48C888A2389AE59C1FB15864018FDA0C39B483511798A9CEB7ACB7352AFA347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:07.819{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEE0EB84868CB408CAADB76EE8A5B39,SHA256=F4B4B5CE5BFCAE01A271D4D58283DDA843A515CBA1A1CC98D6C1A995610EA928,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.337{8E625C7F-73E3-642D-1D01-00000000CC02}648432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.211{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2AA1CD6A87108C74E28F10E5335EA0A,SHA256=A38ABA408D2EDD043861B9EBAC70FB810652C811ACDD09858176B9222F39C4B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E3-642D-1D01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD7-642D-0500-00000000CC02}412540C:\Windows\system32\csrss.exe{8E625C7F-73E3-642D-1D01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E3-642D-1D01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:07.149{8E625C7F-73E3-642D-1D01-00000000CC02}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:08.717{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54934C5139984422261766C8AA2BD4F3,SHA256=852D52E86E62B2466544529BBAF117B6B13175EFFA2D3C9B0D0B94C4B4ECE639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:08.913{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCA4593DA4FE1BA826C05AD828B2235,SHA256=B4CAAD0E8DB0751D45A95EBDF679D7691EB91557FEA74A8120F52A9BF67DEA14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:05.006{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63950-false10.0.1.12-8000- 23542300x8000000000000000209817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.940{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0023A3214C308352131340E1D2CCDA,SHA256=98D34DCEF1278C8B7980E899E4FEBD91494FBB91EADD688625C7C40315BA9CDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.846{8E625C7F-73E5-642D-1F01-00000000CC02}191696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E5-642D-1F01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-73E5-642D-1F01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.657{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E5-642D-1F01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:09.658{8E625C7F-73E5-642D-1F01-00000000CC02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000209832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:08.262{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49900-false10.0.1.12-8000- 10341000x8000000000000000209831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.849{8E625C7F-73E6-642D-2001-00000000CC02}36041888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E6-642D-2001-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-73E6-642D-2001-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.661{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E6-642D-2001-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:10.662{8E625C7F-73E6-642D-2001-00000000CC02}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:10.241{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D5CA56D6F3597357E8C3B1CA51B9F30C,SHA256=9E08A18D639B411C72E2A6F9A6F9758642B555BE3D4AE0CCE8F17A39E92A7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:10.116{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642CDE0253E14B5D69B9BDA431BBC51A,SHA256=7A953116FA15141D5447C766E61FA6240DA24CD65B2FF529E812055FF23E9167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:11.210{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E9FFCE5C399CB23010E19BD17FDFF2,SHA256=F0FDC282B742F8C312F7E01870A2CA719FBF3A6F98DAA39DE59A0CAECF6A7872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:11.210{EDA2768C-6FDC-642D-0D00-00000000CB02}9162832C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.366{8E625C7F-73E7-642D-2101-00000000CC02}656764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E7-642D-2101-00000000CC02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD7-642D-0500-00000000CC02}412428C:\Windows\system32\csrss.exe{8E625C7F-73E7-642D-2101-00000000CC02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.163{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E7-642D-2101-00000000CC02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.164{8E625C7F-73E7-642D-2101-00000000CC02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:11.147{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82450A91DCC1814685B19CFFE68B3FB3,SHA256=42124F5ABA509AD19734D55586CA97BD01C6EF2DB6FEDCFCCD0ABE6E78FED142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:12.522{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9257B1F4A8689504B2588013DE1B7996,SHA256=A5DD62273215E6E35E6C1C454F888EB6EAD1FF01B1BE1C063E7FCBCEA85F54C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:12.370{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7DF4E92B6C131CF349A6C5309EC65C1,SHA256=F8BA0F7BF8D8690A43A8B78E951096F4FC6881860396DAA38378FBFCB578355B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:12.244{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DB26F5C53B8BED5E8B1FCE15E4005E,SHA256=849E839912E0C94667DC4FD2CA2D53CACCA49EF21F1FF0970EE188C39ADF2393,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:09.084{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63951-false10.0.1.12-8089- 23542300x8000000000000000273195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:13.616{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632BFD96939EEEF92C58A4A1B4F9A861,SHA256=C7D597BE3A224A5BE5E5573D2F3EE90BAC97E0458EE217D4A103524D1E72BEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.342{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE529D43D8D492AA787A32366B47BC2D,SHA256=38A4075F0A8AB33D09429C6758B815828C2FE30F9D7CF3FF9FAFA12E79C5ACD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD9-642D-2E00-00000000CC02}28362856C:\Windows\system32\conhost.exe{8E625C7F-73E9-642D-2201-00000000CC02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0C00-00000000CC02}740856C:\Windows\system32\svchost.exe{8E625C7F-6FD8-642D-1B00-00000000CC02}1876C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD7-642D-0500-00000000CC02}4123824C:\Windows\system32\csrss.exe{8E625C7F-73E9-642D-2201-00000000CC02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000209851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.185{8E625C7F-6FD8-642D-1E00-00000000CC02}19442984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8E625C7F-73E9-642D-2201-00000000CC02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000209850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.186{8E625C7F-73E9-642D-2201-00000000CC02}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8E625C7F-6FD7-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:14.929{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692A716931AFB8A3E223A62A38A57AE6,SHA256=AD39AF173A4D2DB0E16D6FB6C36555EC17A9550705082742F136DE659A068F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:14.674{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A044748F70E6A6585D2B68B6AA769CB9,SHA256=E05FFB1DC31606022927DFEA4B32BE8D117B8F5DA9412F16033920D731117C78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:11.006{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63952-false10.0.1.12-8000- 10341000x8000000000000000273198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:14.179{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1500-00000000CB02}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:14.179{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1500-00000000CB02}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:14.179{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1500-00000000CB02}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:15.772{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F18446CEC49E16D789D6C411940323,SHA256=648B3BD4266692E05016E7B53E4BD579377DA36266EA52CC39C10D6ADC73DD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:16.869{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758225EE219B82C1D7505B037FD1C864,SHA256=A61D4372AAD94D7B2884164CA33CEB4ED887873E46F5D2A3DB9382A68A8E31ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:16.132{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E06610ECB7C136A7B6E2865B9B122,SHA256=2023E6FA5D616D5BE6C7FC90B999B4455D8F1C5CBF9C6F499057C0540744DE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:13.278{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49901-false10.0.1.12-8000- 23542300x8000000000000000209868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:17.966{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D383B68991D6889F5FAB9E21B87136,SHA256=450936D7A10CBE874365BF9A49FC0745E14B7E20B24A81C207FF7B86E889A3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:17.226{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8375F3AD3B2F4746CCFDE2B0CCCF8D65,SHA256=4F1A815EAF384FE774EA3C4E6140437D5F442FFEA1BE39CC4C3633E7A6680AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:18.429{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B39A542CFDA2DD360D5A09A6AA087B,SHA256=AE5EB44BD4AA4791DFB842CD25BA8ED6F6805E468425A0A42F9D1967F31BDE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:19.632{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54F8C69ADB298FE23228AC5A2300021,SHA256=CEC9F222BB178D7E570E6ECE4E3095AFF89120F32F9FECF43EF8F853F5B2AA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:19.064{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D5A34D2617D326D2DAFE9AD201B659,SHA256=A3DE7E3CD0E8A6221B2DDD8556AF90688D8982CF0526AC7D692517946E904EC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:17.006{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63953-false10.0.1.12-8000- 23542300x8000000000000000273206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:20.726{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5725B82473CC3F79399A72B3D4696A,SHA256=FECCFC469094EBECC4FE66C9AB18286A91D33F3CF078AB8D2FCBEE0DBD040D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:20.157{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F904548318661B3D5217A600F0E2CE8,SHA256=382BD35D5C4A716ADAFA6A6AD89E577AD7089F64A0A62B22EFF464D11290F032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:20.061{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\respondent-20230405125554-016MD5=01AFA1117B3FF8C251038CF8389D3BC3,SHA256=E6B2DA3B1F447C8796BEA507CA8DDC0A951700532C0315D7CA2BAFBA4D11A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:21.820{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B5F15F57FA028ED0C0AF8D6E60773C,SHA256=0CFB5CF4676E08F27B41D4DB22270BC069C625D374BB8C4E340391735B023D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:21.258{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF59330F7075C7D83D4CEAD34A24D7EB,SHA256=922EF4F8663B72F3238C6DC49EB26DE61BAB87CDDBEF183F13CBA25F9AA6D0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:21.068{8E625C7F-6FD8-642D-1A00-00000000CC02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0349dcef4ef1bffd1\channels\health\surveyor-20230405125553-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:18.372{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49902-false10.0.1.12-8000- 23542300x8000000000000000209875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:22.363{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7195EBAED6596C6DD06A60D764F24E63,SHA256=325AD6A58423C3DAAF562C7B581ADF41CEE6895AFE95D3325F11B8046A27EEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:22.914{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F54306525A753D5438D0F75C7D40EDE,SHA256=AA741E50765BB30FDBA4CDF02537600CB3B3E7C1B73237A79E8DD559299C35C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:23.461{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7E3A8CA53D8CF3BAC39375FC30D7A7,SHA256=AD635D01D18DD172397B88F13940E1918857556B7FF19F94B94F54A92C2B4816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:23.617{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFA0A774A22E21AB268F4063903D5ED,SHA256=8E1D752A7FC7A85D52F548E649C8E679A7B9E1515AB3F26D317DB9CEE80FF758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:24.558{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71270DFD0DB1CD7C85A4EB35A788A4CB,SHA256=0700BEFD053110F62EE7BE55AC7E97368B6D1E8DFD1C8DB6EE14485477CFEB40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73F4-642D-2401-00000000CB02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-73F4-642D-2401-00000000CB02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.929{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73F4-642D-2401-00000000CB02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.930{EDA2768C-73F4-642D-2401-00000000CB02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73F4-642D-2301-00000000CB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-73F4-642D-2301-00000000CB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.023{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73F4-642D-2301-00000000CB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.024{EDA2768C-73F4-642D-2301-00000000CB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.007{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EA10EAD0973A783C5ECF8F5DAB899F,SHA256=449F6514EB244740D09A32EBD066B80B258EE72AA3FA14DB8C14A2EF0EC7F891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:25.655{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB25A51CCFFB0A6112BF60887960525,SHA256=2340C8295875D6631E5DDBD207120C720D6A8F9B3AB29523BFF1419E6466435C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.882{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF0562E3B5BA591AE06FA8FAA6901E4C,SHA256=8A8DA6B6F30C9BFBA49B62F4653A9F710E3EE7A92D9CA193699FA6FC06BC1BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73F5-642D-2501-00000000CB02}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-73F5-642D-2501-00000000CB02}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.820{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73F5-642D-2501-00000000CB02}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.821{EDA2768C-73F5-642D-2501-00000000CB02}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:22.943{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63954-false10.0.1.12-8000- 23542300x8000000000000000273238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.164{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F963AFADA1AB6D7994BAED584AB2518,SHA256=58693EEA5D2BAF552BC335A1B990AD38F37B3CF133F4BC5576403429DF4AB1E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:25.148{EDA2768C-73F4-642D-2401-00000000CB02}32603064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000209880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:26.752{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3ABA4B7C285E7558F659369ECF585D,SHA256=42CD2C81A03ECDAED2F5893C3D04B7BEE61110C1DAEAAAEBE761375C2AFA391A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:23.364{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49903-false10.0.1.12-8000- 23542300x8000000000000000273254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:26.226{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1080AB08055D56087E69C0C908F767,SHA256=900DE472D8086E346B58759A0D346186CC22A8C158D8F647F214DBDE438DD142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:27.849{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9CA76DD692BBA3626E72B14763EF2E,SHA256=D5154BD98F54593AED2084E270D86C27678C29BBC827713DF9840CEB74B3989C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73F7-642D-2601-00000000CB02}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-73F7-642D-2601-00000000CB02}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.929{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73F7-642D-2601-00000000CB02}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.930{EDA2768C-73F7-642D-2601-00000000CB02}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000273257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.678{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63955-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000273256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:24.678{EDA2768C-6FEA-642D-2700-00000000CB02}2600C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local63955-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000273255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:27.335{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4AF5417229F228458AF21BA442E9EC,SHA256=9BAA65AEBA90D850F15EC4FC0B4EE16F75ACF96EC9B5D7F72290C68CD0FCC3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:28.946{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795D3ECE64B5D331A48F973323A2EEFE,SHA256=D1D447F21CA20C93FDD59416D93D3AE5C5E3B5ECB0D17EA3051AF5BE825EF3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.976{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C108D6DBB8130AE68E19A2C8C7CFF877,SHA256=1E81E0D1A23C616315489D5BD8E3BC08371A03AFE75DA63E366E0782DF3A9C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.726{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFC3F8D794653E75A805FC323F06570,SHA256=BB02CDB7E2D1D6AB80DF2768905AAAE380934434172935FB9FD8ECD0FC1C8798,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.632{EDA2768C-73F8-642D-2701-00000000CB02}28402836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73F8-642D-2701-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-73F8-642D-2701-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.429{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73F8-642D-2701-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.430{EDA2768C-73F8-642D-2701-00000000CB02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.242{EDA2768C-73F7-642D-2601-00000000CB02}36643732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.757{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C879057B55ADE472108DCA2A766B52A,SHA256=DFE511EC39E98EF287B5CD88E203F70543A5C336FEDB415971DED361961732F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.351{EDA2768C-73F9-642D-2801-00000000CB02}37441216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73F9-642D-2801-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-73F9-642D-2801-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.086{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73F9-642D-2801-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:29.087{EDA2768C-73F9-642D-2801-00000000CB02}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:30.851{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D067C835482F6FE2DC329F2711965F1A,SHA256=170BA3AC6E01ECD50C3150AF56338E745A7BF1186616C3DF9087F46E01F4FB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:30.043{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E385429F1C275749F7F6994CB72D8AE,SHA256=D0796D56C939E60338CEEBD1F5AA37F57A3C923FE68253286817D2414CE73054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.946{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179009722478E1E6600435A1C0E20C19,SHA256=1682A886E9446E1383A822B0A408B5BA312DB79DEC8D30ED48704F9BC11412E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:29.130{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49904-false10.0.1.12-8000- 23542300x8000000000000000209884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:31.140{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA03A1A23202E5E53F25D0E0D91B6446,SHA256=22B552365137FF3716D86C28ED371F2E7556AC44EE6AEAF535013F6E60C1C64C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:28.912{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63956-false10.0.1.12-8000- 10341000x8000000000000000273316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FEB-642D-3500-00000000CB02}31363164C:\Windows\system32\conhost.exe{EDA2768C-73FB-642D-2901-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-73FB-642D-2901-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-6FEA-642D-2900-00000000CB02}26284044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EDA2768C-73FB-642D-2901-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:31.086{EDA2768C-73FB-642D-2901-00000000CB02}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EDA2768C-6FEA-642D-2900-00000000CB02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000209886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:32.237{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6700D6E7A0A6284F9D6DAE5996AB7BB5,SHA256=534153E104104CA48F389CC15A18FF9454BC444FAD0E086AF1CF522F1BAFF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:33.333{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4BEA93E7EE691CECE3B69E358D8341,SHA256=87E44A2548F487E65DE0AA4CDC60360272C47501C2F083303294E568EDF20840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:33.258{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CFBF09DA69C63FB0391D3074367FA,SHA256=0FC7F175459BDE7E4461EE9B04C95D39E8C93964ECC372698EAE4758AA4EC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:34.430{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D820217673448D48B78941E022D77128,SHA256=47527FCB68AD2139C3DA7AAFC1E64D6C6081D83A1851C2A8D3B58446F5CC5111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:34.461{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B7838AA95F4DD50282CF4ECD19A6A0,SHA256=B983B6216C58BCC183740041376E48953789761D32C05FFBA2063E452A3DB2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:35.527{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3629F40E813F803DE65FD144122E5C85,SHA256=03715BCD95A6907E9EFAC34996DC2D212966280DB448A9902429F9DA7C672375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:35.773{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FE262CE39A650963B03A80ABB520CC,SHA256=6ADECD0B121A85CA0935B0E215580DA867AAB3399431C0945B94CBA59F714FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:36.624{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46711518ADC3912EC5456182503D73D4,SHA256=E1D1A43D9AB281BA20D378A43590BB6B768E33871D32201FEE5387E7E637297A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:36.976{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800D18985A60536DC6D98F31154E90BC,SHA256=54588E01271059CA2DCE1B359377284CBCFA955F1338D9A3FD2DB59D2C8704FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:34.115{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63957-false10.0.1.12-8000- 23542300x8000000000000000209892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:37.721{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48418ACFEBE5AE5606E4D625B7248110,SHA256=595A372A51EBCA74BCEBE2EBA973028EDA8880743701CD2BAD2848DD854F78BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:35.114{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49905-false10.0.1.12-8000- 23542300x8000000000000000209894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:38.927{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5839E7A445A6329A63199A89A7854E,SHA256=39E9E1329B5AB92A36F523486FC65DECE990F1A608272FECFD22F50A1B8B6974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:38.128{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=66FCB3ED7A2CDD8239FF2EBEE96A18D4,SHA256=0FF7BF5486C07583426F73E950077515205EF7268A2281155BA56E02A9554F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:38.361{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\respondent-20230405125612-016MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:38.171{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FACAEDC55FED3EC547B0B7F92A358,SHA256=05E86EE1CD3AA1C843842DB7F613DA5294C2426F273FE1771107670CFAD9E54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:39.365{EDA2768C-6FEA-642D-2800-00000000CB02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0325ca857d975bee2\channels\health\surveyor-20230405125610-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:39.270{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66B0B358B55C1D74ECD1A1790514C00,SHA256=8890C1312DD39994714B30A3855FF07642D35926A4FE542E3FEBB5994EB4D522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:40.024{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B660D5F875362E77857BF61A9B9F60A5,SHA256=0256B12C4FB5C43544E229433C5983A248E12EF107BA3313AD0E9410B999914C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:40.344{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7687EE81D7391AAEC61E229D58C9AE37,SHA256=73BEC1BA9541BD79A79C710B6F510C2D857B11BB91D211EB6C82B5204B15248F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:41.121{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2C1E006E61E30072CD338C3E3A37F7,SHA256=07688D2116892B4F0FEE444A9D045563AE17A3CF708690E4AA4C63EFF7E0F02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:41.548{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6AEFCDA754C2822055250754923A15,SHA256=433E9B3E9670B0184E7131383353A8140DE85633BB44D8E94E80918BADADC752,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:40.115{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49906-false10.0.1.12-8000- 23542300x8000000000000000209897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:42.217{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A213577A437D6E05776409C82A7FF3A8,SHA256=98BDFBAB28E261DDBE095A9F4979D50387513B40A0EDCEE6AC467DE62AA1D35E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:40.092{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63958-false10.0.1.12-8000- 23542300x8000000000000000273330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:42.751{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235A22BE8A4085E65773899C5E0F63CE,SHA256=5BFA0359B9AA0F6169CC67BE867140A6F7E5549927EFF82AAC8568EBCC51B844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:43.533{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A671497F766F1F6518A919D05C6BD1,SHA256=936A91EABE3C8B68BB87D86534C0686C26DDA23247D1362BE71A30FB94743C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:44.739{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413D5B6BD5635B84521AE9CD73E89392,SHA256=3C8C3A047889B14EA57580D81DFB0378EE1FB53D9C26E36DA3163F9E21836670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:44.063{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74299CE33F41E65338654C00B8320364,SHA256=270BB093A3B1536704F87E000152CF14CB175EAD5FBED63109F389B96E092498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:45.836{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED750D4A06213AE7D024DD16C663ABA,SHA256=E58A21CE5D920103C7747DEB41CE899F90E619EFCEE495DBBE6676EFDFEDF510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:45.157{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DB27C1DF00579EEDA154012BC643D2,SHA256=B2ABC8B21B536E5A0620B617269E3B4FD47FDDE7528D76056A4D455CF364D26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:46.933{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9101E6AF16712E8AAAE6B4D6BC95DAE8,SHA256=9AA547ABC9E413914063700428EE2C0FFE702B154A046CCA86B34E8D50195A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:46.470{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37402B87AB21E22FE665A636763C2F3E,SHA256=AA5564F045A9F20F4153F5CE39C23EF3FD8BF40043F8353379E69E54565C632B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:47.673{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7187521334F91348EF59B37E2332F6,SHA256=049F4D29D2186D5CFC00B92A4B1161A935FF99F3C0D30D2553F0B983FA7AF77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:48.985{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5D3C3BBD7C026B447FC222857F430E,SHA256=BED5787CCB1509BB9EF85FA35A7798116A7142814327876B7696343A67251865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:48.767{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99A5308FAB7317A17B640A39714CB1D,SHA256=94A42CEA6E06520323F065B6D56EE5545FF11546C7E4D7F1E6594AFED5801199,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:45.161{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49907-false10.0.1.12-8000- 23542300x8000000000000000209903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:48.029{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5565311DB626AAD2381F5EB30BC19520,SHA256=993235FBC92B02130D8C4F45DBFD7FF5426F7AFA260829D2DD875AB7A59564A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:49.235{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F94B22964523EAF7675C3D088022226,SHA256=3766613DF633ACDD08AF58116D4346ADEA9C38C427A9BFF8EFDAFB232989E111,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000273340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:13:49.657{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d967c0-0x7615f804) 354300x8000000000000000273339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:46.673{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.34-53535-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local3389ms-wbt-server 354300x8000000000000000273338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:45.998{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63959-false10.0.1.12-8000- 23542300x8000000000000000209906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:50.332{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A8DB8EC5DE6B0BB54C28741773B2D2,SHA256=955D570D28B9C265D48C761893C9D7220BBB9DEAE63783B2F4F4AB9ED3D2EDF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:50.079{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FBD43295A0D8A21E5C5381FDB04865,SHA256=BAC33F97A82E87F962BAC5EF77FA5FA75B9A7094A7918DC6EA1E806C090F2195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:51.648{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F565C9B0E7063E0CE06E5E99D327D3,SHA256=35983D1A87885818EC7EDB2A1A77EF2DD8DA876B0AC61AE05B9FA625A8879927,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:47.843{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local60063-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000273343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:47.842{EDA2768C-6FEA-642D-2A00-00000000CB02}2644C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-192.attackrange.local51438- 23542300x8000000000000000273342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:51.282{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC891B2BA845E82811FC2BA279894910,SHA256=94D966D92B3C4B6CC13793A09FE44FF1156B57E306987BE4BA91861026DDBAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:52.744{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8648A04E6F92C654BAD559B22649DA73,SHA256=470CCBF0E5A911FCEBA0F3D9544E3DA323D3B1B1298433EB3C8529A75121D59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:52.486{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBD250ADC71E2847C7DA70825DA5567,SHA256=760DB38B0C63A80FF647BA51C072F823A58C859D01B468DE8AA2D59301FCD4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:53.950{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331270E7BA66D1ACE1211738A2D1C4E5,SHA256=815BB0A28550A3046D08F34E87096EBED70AE9FA516BD6C8401B8B63CB85101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:53.579{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFDBA71E0D08ED0EC8E4E137FBAA7F6,SHA256=F7878653742AA9B6498B756D6E9504513BD3E0DEFFA65730ADB51EF908A06D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:53.433{8E625C7F-6FD8-642D-1100-00000000CC02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CD713DAADA0D532A600ABAEF1088CCCE,SHA256=8D3FFDA90247E9887FD401E417CD1C90482DC5A0A8457A591FE426DC22320FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:54.783{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC7876169EF631C1EB294465992F223,SHA256=A1438111A19FD04B632DACA5D209307CA571F8DDC5504B0551FA64DDFF5FAF46,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000209921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000209920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001092ad) 13241300x8000000000000000209919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d967b8-0x16fea66d) 13241300x8000000000000000209918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d967c0-0x78c30e6d) 13241300x8000000000000000209917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d967c8-0xda87766d) 13241300x8000000000000000209916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000209915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001092ad) 13241300x8000000000000000209914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d967b8-0x16fea66d) 13241300x8000000000000000209913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d967c0-0x78c30e6d) 13241300x8000000000000000209912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-SetValue2023-04-05 13:13:54.357{8E625C7F-6FD7-642D-0B00-00000000CC02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d967c8-0xda87766d) 354300x8000000000000000209911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:51.098{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49908-false10.0.1.12-8000- 354300x8000000000000000273347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:52.014{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63960-false10.0.1.12-8000- 23542300x8000000000000000273349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:55.986{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC368EC501726C801FEC0A6EA9E7145C,SHA256=9E8F80B429C6C64782982139C8E3E042B52C243107FEC5AF4CCDF7187D80257E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:55.046{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07C842935C6FC7819366E82E421783F,SHA256=A9A4D95D6E8CACAAC698FC034B73D715DDC76BBFA9F1727535DBDA78AF1F0A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:56.143{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE3BCD84079E859BAF96E522446A3A8,SHA256=73BAC9B42B9EEDD7C8183E08E5DAC945DFEDA46C5812A81EB990A264DD3AB0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:56.080{EDA2768C-6FEA-642D-2900-00000000CB02}2628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F008FFF3DD5527F981D94975F7C690F7,SHA256=8B82121BC4ACCF6C1AD786AF471C21791BD4D057C99B74F0AAAF8CC655804165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:57.239{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D255B87FAA6107E5E92D272943F98351,SHA256=0212EEA389388EBB6F99F64357A9E6680C540726EE7BCB90BB06A9152429888B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:57.189{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1D9443893AC9888C568EE00970C100,SHA256=E8F4D96CE99FFF2CCF6EE5ED6DB6B7F667740253A7876C652B06557E887C3BCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000209926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:56.176{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49909-false10.0.1.12-8000- 23542300x8000000000000000209925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:58.445{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EEC2A350545315D4B15C6F1AFBDCDD,SHA256=24F912D0E9A5E4F3AA4AD65218B90E0ACEF96BA29B8508074C309BE4F18A50B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:58.345{EDA2768C-6FDC-642D-1100-00000000CB02}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1448868098A0AAB959673C641680929E,SHA256=DC5025D2BBE8E88DDE1311E964BD118DED06A18BBB773DF2A05726E415AFD3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:58.283{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0880D5F05813DE5504C672C25D096566,SHA256=6E1C3BCEA9AA47A4174D99CFD4719E94121316BFA6FCE7CA7AF1A8888558EFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:13:59.651{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C687C93E34A6F1F10619DDE07CA6615D,SHA256=CC7EC56BE7C1FFFB5744F07DCA6F7ADB4545F29941A8F29253276E5894B2C60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:59.377{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40CFEA70245965AA6E213D092DE4EAE,SHA256=410F4C02B6CA8B4F22754BF5EF1C773BBDE65EA8D712BE0B0589BBC194119E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:00.747{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF571CA45A40CA081CF3F5D41EA0DA8,SHA256=7CE9986B54A292567CAB1547B4D2F881FC85600680388209476D06AD28AE9129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:58.014{EDA2768C-6FF5-642D-7000-00000000CB02}1600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63961-false10.0.1.12-8000- 23542300x8000000000000000273355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:00.689{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2850AC1CAB25CB4BA3312FE03676063F,SHA256=5AD13E4C757AF86036E644CD1BB0D2203D08CDD6E563471B437F09E06BF44421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:01.844{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BA8053B5F1EF498A62D9A619D94F40,SHA256=6A52CDCDDD9B48B6B0C5992106F776E93B215F3A2FBF4E9F49645F57FB9E3598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:01.783{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1A34B135A649195BD9AD694F0B5512,SHA256=86447E90C924F7D0223C47B762972E57C481C037895A1FC9A2FC50A5CF66315D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:01.064{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C4949E98A8E237C56CE0C563EA53C08D,SHA256=8ED34A52780D092C2FBE4AEDB2FD11551D5429B8EEAD6FAB6C58665F0BC8E453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:02.940{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD79D8CA4F832E0BDAA971D44ED630B0,SHA256=79BF507997D52A864CCD1EE1BB63E5704DE193A20D5741BE8F8D90FFC442900D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.924{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37B35286E391A4EF05C974A0EFD16D6,SHA256=E8E6D9B9A8B4577B1E65C5FDBED943F9786D2075C879B5A294A8451753332C28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.861{EDA2768C-741A-642D-2B01-00000000CB02}38803520C:\Windows\system32\csrss.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000273415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:13:59.389{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.34-53538-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local3389ms-wbt-server 23542300x8000000000000000273414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.408{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856683919B9E2957B376E48048B81CEE,SHA256=F114102ACB5D934F9465A97462CDDB2B0EE63320F944F0737E3ADC133161C87C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000273413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.345{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000273412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.345{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000273411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.345{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000273410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.345{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000273409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.345{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000273408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.345{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000273407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.330{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000273406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.330{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000273405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.330{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000273404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.330{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000273403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.330{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000273402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:02.330{EDA2768C-6FD6-642D-0100-00000000CB02}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x8000000000000000273401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2B01-00000000CB02}3880C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000273388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000273387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000273386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-741A-642D-2A01-00000000CB02}26402204C:\Windows\System32\smss.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000273385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.304{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{EDA2768C-741A-642D-2A01-00000000CB02}2640C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000007c 10341000x8000000000000000273384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.298{EDA2768C-6FD6-642D-0200-00000000CB02}320328C:\Windows\System32\smss.exe{EDA2768C-741A-642D-2B01-00000000CB02}3880C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.283{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2B01-00000000CB02}3880C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.267{EDA2768C-741A-642D-2A01-00000000CB02}26402204C:\Windows\System32\smss.exe{EDA2768C-741A-642D-2B01-00000000CB02}3880C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000273372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.272{EDA2768C-741A-642D-2B01-00000000CB02}3880C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{EDA2768C-741A-642D-2A01-00000000CB02}2640C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000007c 10341000x8000000000000000273371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FD6-642D-0200-00000000CB02}320328C:\Windows\System32\smss.exe{EDA2768C-741A-642D-2A01-00000000CB02}2640C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.252{EDA2768C-6FD6-642D-0200-00000000CB02}320328C:\Windows\System32\smss.exe{EDA2768C-741A-642D-2A01-00000000CB02}2640C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000273360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.253{EDA2768C-741A-642D-2A01-00000000CB02}2640C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000100 0000007c C:\Windows\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{EDA2768C-6FD6-642D-0200-00000000CB02}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000273359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:02.033{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E795781A5002831DB3B1BB05F7D70DB8,SHA256=DB9844741B14EEFD077D359C4AED35C5D8AD10E44D1DAF6ACF27816D0113ADCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.970{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.955{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:03.939{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-7c8c57f8-5ee8-4478-aec1-373d69d52884C:\Windows\System32\svchost.exe 17141700x8000000000000000273510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:03.939{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-7c8c57f8-5ee8-4478-aec1-373d69d52884C:\Windows\System32\svchost.exe 18141800x8000000000000000273509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-cca84f04-32f6-434d-ba7c-5ce4cdbed022C:\Windows\System32\svchost.exe 17141700x8000000000000000273508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-cca84f04-32f6-434d-ba7c-5ce4cdbed022C:\Windows\System32\svchost.exe 10341000x8000000000000000273507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000273505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-04104dda-5b5c-40b7-bb4f-c9340525ffaaC:\Windows\System32\svchost.exe 17141700x8000000000000000273504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-04104dda-5b5c-40b7-bb4f-c9340525ffaaC:\Windows\System32\svchost.exe 10341000x8000000000000000273503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-1200-00000000CB02}3881676C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2500-00000000CB02}2516C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-1000-00000000CB02}360932C:\Windows\System32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\termsrv.dll+a1377|c:\windows\system32\termsrv.dll+6a6bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.830{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.814{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.783{EDA2768C-6FDC-642D-1200-00000000CB02}3881676C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.783{EDA2768C-6FDC-642D-1200-00000000CB02}3881676C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.783{EDA2768C-6FDC-642D-1200-00000000CB02}3881676C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.658{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.408{EDA2768C-741B-642D-2D01-00000000CB02}30963664C:\Windows\system32\LogonUI.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.392{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E029939602B7053120FA49AC3EFFDFFD,SHA256=7E9F645627BD9EE6C47922D7E54CF8E50CD06A6BE1665F17A9970B71DB6CFEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.392{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29421FA2445901979558ABA3F5F9EE51,SHA256=F63F791457E8370CDA2783D9F6D416240CA2B362BA8341B0BE8AB4B83D55924F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.220{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.220{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.158{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.158{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.158{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.158{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-741A-642D-2B01-00000000CB02}3880172C:\Windows\system32\csrss.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-741A-642D-2C01-00000000CB02}40201064C:\Windows\system32\winlogon.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.146{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{EDA2768C-741B-642D-1445-0E0000000000}0xe45142SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000273447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1cfbe|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.142{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1b476|C:\Windows\system32\lsasrv.dll+1ca25|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.127{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.127{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-741A-642D-2B01-00000000CB02}38801776C:\Windows\system32\csrss.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.095{EDA2768C-741A-642D-2C01-00000000CB02}40201148C:\Windows\system32\winlogon.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.097{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a6a055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{EDA2768C-6FDA-642D-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000273424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.080{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:01.192{8E625C7F-6FE3-642D-6100-00000000CC02}3076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49910-false10.0.1.12-8000- 23542300x8000000000000000209932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:04.584{8E625C7F-6FD8-642D-1E00-00000000CC02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A7F5F15494D40628A6454642BDB837C6,SHA256=A232CA83B5EE3C99D23413319539A66CCCA50F101DFBC10136DB50B1520A2DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:04.036{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526F7C29D06D37B69441E8AF60EBAF14,SHA256=B812ECBCE7E4E397D7D16F95587D3AFCDCAC938A8E4BD63AD6F8C29DABF67876,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.955{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.955{EDA2768C-741C-642D-3201-00000000CB02}42204236C:\Windows\System32\RuntimeBroker.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+8aa6b|C:\Windows\System32\combase.dll+8c0c2|C:\Windows\System32\combase.dll+39b33|C:\Windows\System32\combase.dll+8c1dd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000273725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.955{EDA2768C-741C-642D-3201-00000000CB02}42204236C:\Windows\System32\RuntimeBroker.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+8aa6b|C:\Windows\System32\combase.dll+8c0c2|C:\Windows\System32\combase.dll+39b33|C:\Windows\System32\combase.dll+8c1dd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000273724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.955{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93FD10A7C3FE303D2F44FC28C4EC1E4,SHA256=0DC95C60D863AFB40D24DCE45D8577EFB47A39C4DA1DD15D4F886D2A19908E69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.924{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-c86d85c0-40cf-4f4e-b24f-72f832fed1e2C:\Windows\System32\svchost.exe 17141700x8000000000000000273715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:04.908{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-c86d85c0-40cf-4f4e-b24f-72f832fed1e2C:\Windows\System32\svchost.exe 10341000x8000000000000000273714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-741A-642D-2B01-00000000CB02}3880172C:\Windows\system32\csrss.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-1000-00000000CB02}360932C:\Windows\System32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000273706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.845{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.830{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{EDA2768C-741C-642D-98C4-0E0000000000}0xec4982HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x8000000000000000273703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.814{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000273702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.814{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB36781571E494FD5A442B942678044,SHA256=1E4C84E804DFA16BE121A0CED306BFABF251B1218C70CE9423DC26959718D6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.783{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.767{EDA2768C-6FDD-642D-1600-00000000CB02}12881684C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.767{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.736{EDA2768C-741A-642D-2B01-00000000CB02}38801776C:\Windows\system32\csrss.exe{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+415bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.732{EDA2768C-741C-642D-3001-00000000CB02}4144C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{EDA2768C-741C-642D-98C4-0E0000000000}0xec4982HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{EDA2768C-6FDC-642D-0C00-00000000CB02}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000273682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FEA-642D-2500-00000000CB02}25162544C:\Windows\System32\spoolsv.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\spoolsv.exe+1b6e3|C:\Windows\System32\spoolsv.exe+1b549|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+3582b|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.720{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}8564120C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2500-00000000CB02}2516C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2500-00000000CB02}2516C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2500-00000000CB02}2516C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856452C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.689{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.595{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725EC288DB858E9E5BAB58ECBE57F544,SHA256=A8050D4501918F872F67C0A21A6EB211AB4A178D58C35EB646AC072562D3D765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.580{EDA2768C-6FDA-642D-0B00-00000000CB02}648700C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.580{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1400-00000000CB02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.564{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.533{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.517{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-2F01-00000000CB02}1088C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.502{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-741C-642D-2F01-00000000CB02}1088C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.502{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-2F01-00000000CB02}1088C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.486{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDD-642D-1600-00000000CB02}12881956C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.408{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.392{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.392{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.392{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.392{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.377{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.377{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.377{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.377{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.361{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.361{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.361{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1b476|C:\Windows\system32\lsasrv.dll+1ca25|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.345{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.345{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.345{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.345{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.330{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.330{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.330{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.330{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.236{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62C0966C781CDBB6311779753A11AE3,SHA256=2ADDB3ACBEE069C74885D394D2C8AA533A58138ACE06429445611AF1C8DC868F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.174{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.174{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.174{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-1000-00000000CB02}360956C:\Windows\System32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\termsrv.dll+a1377|c:\windows\system32\termsrv.dll+6a9d8|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.127{EDA2768C-6FDA-642D-0B00-00000000CB02}648820C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDA-642D-0B00-00000000CB02}6482388C:\Windows\system32\lsass.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDC-642D-1000-00000000CB02}360956C:\Windows\System32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\termsrv.dll+a1377|c:\windows\system32\termsrv.dll+6a9d8|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.111{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2D01-00000000CB02}3096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.064{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1700-00000000CB02}1388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.064{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.064{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000273519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:04.064{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-ebff9a65-d0d5-4a1c-9ae7-7555f03ebcd1C:\Windows\System32\svchost.exe 17141700x8000000000000000273518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:04.064{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-ebff9a65-d0d5-4a1c-9ae7-7555f03ebcd1C:\Windows\System32\svchost.exe 10341000x8000000000000000273517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.064{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.049{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.049{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1300-00000000CB02}412C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:04.017{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360234107DC3275124A28BFC52263722,SHA256=940D97B3BF7A9C90DF9C4EFA62FDA55D60B22476D20FCC9873680129D4E30A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000209934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:05.132{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3400E75170EBAFF237A160C4727758E0,SHA256=A76B1C66062B38C25B75216637EBC700197BFEF32D64ADF5EA4B4C88DD0CCFF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.448{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63965-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000273900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.448{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-192.attackrange.local63965-false10.0.1.14win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000273899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.442{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63964-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 354300x8000000000000000273898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.442{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63964-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local389ldap 23542300x8000000000000000273897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.814{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81878B73C36AFE38215E92C2E74DF2C,SHA256=AACBFDFABD83A9F8DBA8F4D4C716EA22176E88A9BDF507787CB4B30E089BD377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.736{EDA2768C-6FDD-642D-1600-00000000CB02}12881588C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.736{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.720{EDA2768C-741A-642D-2B01-00000000CB02}38801776C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FDD-642D-1600-00000000CB02}12881588C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.705{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000273885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT10532023-04-05 13:14:05.705{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2023-03-21 12:47:46.796 23542300x8000000000000000273884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.689{EDA2768C-6FDD-642D-1600-00000000CB02}1288NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=7A2163BAF11F784E3E14894450E1185D,SHA256=299A7F1EA1B6D7319064263EF354F04C7B1EE1BA5CDE1D75F606F1708CE58615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.689{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.689{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.658{EDA2768C-6FDD-642D-1600-00000000CB02}12881760C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.658{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000273879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.436{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63963-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local49666- 354300x8000000000000000273878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.436{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63963-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local49666- 354300x8000000000000000273877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.435{EDA2768C-6FDC-642D-0D00-00000000CB02}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63962-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local135epmap 354300x8000000000000000273876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:03.434{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local63962-truefe80:0:0:0:d58f:d9ce:a5ad:9754win-dc-ctus-attack-range-192.attackrange.local135epmap 10341000x8000000000000000273875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.580{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.564{EDA2768C-741A-642D-2B01-00000000CB02}38801776C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.564{EDA2768C-741D-642D-3A01-00000000CB02}46484652C:\Windows\system32\userinit.exe{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.518{EDA2768C-741D-642D-3B01-00000000CB02}4744C:\Windows\explorer.exe10.0.14393.5648 (rs1_release.230105-1654)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{EDA2768C-741C-642D-98C4-0E0000000000}0xec4982HighMD5=8F7BA5D66FBAB4AEB6075DBE6BE41A84,SHA256=E6F7E06CB3A4CA1B73DD708F2DA6AB86E5AC4BAAB1C26A98AC29EACBC869A28E,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{EDA2768C-741D-642D-3A01-00000000CB02}4648C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x8000000000000000273868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.502{EDA2768C-6FDD-642D-1600-00000000CB02}12881760C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3A01-00000000CB02}4648C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.502{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3A01-00000000CB02}4648C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.455{EDA2768C-6FDC-642D-1300-00000000CB02}4121108C:\Windows\System32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.455{EDA2768C-6FDC-642D-1300-00000000CB02}4121108C:\Windows\System32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.455{EDA2768C-6FDC-642D-1300-00000000CB02}4121108C:\Windows\System32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.455{EDA2768C-6FDC-642D-1300-00000000CB02}4121108C:\Windows\System32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.455{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F81F738248D4D7107A40AE0BB753175,SHA256=36FDECAD3FACBD2FA9560CF989412C08307A05163BCF269AEAA4F468F1BD7409,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-741A-642D-2B01-00000000CB02}38801776C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3A01-00000000CB02}4648C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-1300-00000000CB02}4121108C:\Windows\System32\svchost.exe{EDA2768C-6FDC-642D-1200-00000000CB02}388C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-741A-642D-2C01-00000000CB02}40203440C:\Windows\system32\winlogon.exe{EDA2768C-741D-642D-3A01-00000000CB02}4648C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.436{EDA2768C-741D-642D-3A01-00000000CB02}4648C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{EDA2768C-741C-642D-98C4-0E0000000000}0xec4982HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000273853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-6FDA-642D-0B00-00000000CB02}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.424{EDA2768C-6FDA-642D-0B00-00000000CB02}648852C:\Windows\system32\lsass.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.408{EDA2768C-741C-642D-3201-00000000CB02}42204236C:\Windows\System32\RuntimeBroker.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+8aa6b|C:\Windows\System32\combase.dll+8c0c2|C:\Windows\System32\combase.dll+39b33|C:\Windows\System32\combase.dll+8c1dd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000273846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.408{EDA2768C-741C-642D-3201-00000000CB02}42204236C:\Windows\System32\RuntimeBroker.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+8aa6b|C:\Windows\System32\combase.dll+8c0c2|C:\Windows\System32\combase.dll+39b33|C:\Windows\System32\combase.dll+8c1dd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000273845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.392{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.345{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.314{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.314{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A62DBBDA0D1B2E1C3010CF8513DD91,SHA256=B8C2EA48494A6E59D5D33D6DA58FBE8C5190D0125B10BF01588BF2BBAFD24C3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.314{EDA2768C-6FDD-642D-1600-00000000CB02}12881588C:\Windows\system32\svchost.exe{EDA2768C-741A-642D-2C01-00000000CB02}4020C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.283{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000273833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.283{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDC-642D-1000-00000000CB02}360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b21c|C:\Windows\System32\combase.dll+3aed2|C:\Windows\System32\combase.dll+397e8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000273832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:05.283{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-157076c5-1580-4ce3-a584-3b25a1d3286fC:\Windows\System32\svchost.exe 17141700x8000000000000000273831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:05.283{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-157076c5-1580-4ce3-a584-3b25a1d3286fC:\Windows\System32\svchost.exe 10341000x8000000000000000273830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.267{EDA2768C-741D-642D-3801-00000000CB02}43724424C:\Windows\system32\conhost.exe{EDA2768C-741D-642D-3501-00000000CB02}4344C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-741A-642D-2B01-00000000CB02}3880172C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3701-00000000CB02}4360C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3801-00000000CB02}4372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FD9-642D-0500-00000000CB02}420436C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3701-00000000CB02}4360C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDD-642D-1600-00000000CB02}12881588C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3701-00000000CB02}4360C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+107e6|c:\windows\system32\UBPM.dll+d3c9|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.236{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3501-00000000CB02}4344C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDD-642D-1600-00000000CB02}12881684C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3501-00000000CB02}4344C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1700-00000000CB02}1388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDA-642D-0A00-00000000CB02}640720C:\Windows\system32\services.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.221{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.205{EDA2768C-741A-642D-2B01-00000000CB02}3880172C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 18141800x8000000000000000273801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:05.158{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-abb837ff-d7bc-44db-a9f9-fdf6ed513d6dC:\Windows\System32\svchost.exe 17141700x8000000000000000273800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:05.158{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-abb837ff-d7bc-44db-a9f9-fdf6ed513d6dC:\Windows\System32\svchost.exe 10341000x8000000000000000273799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.142{EDA2768C-6FD9-642D-0500-00000000CB02}420784C:\Windows\system32\csrss.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}6402560C:\Windows\system32\services.exe{EDA2768C-741D-642D-3401-00000000CB02}4292C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x8000000000000000273797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x8000000000000000273796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\FailureActionsBinary Data 13241300x8000000000000000273795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\Security\SecurityBinary Data 10341000x8000000000000000273794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000273792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\DisplayNameWindows Push Notifications User Service_efee5 13241300x8000000000000000273791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000273790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\ErrorControlDWORD (0x00000000) 13241300x8000000000000000273789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\StartDWORD (0x00000003) 13241300x8000000000000000273788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_efee5\TypeDWORD (0x000000e0) 13241300x8000000000000000273787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x8000000000000000273786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\FailureActionsBinary Data 13241300x8000000000000000273785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\Security\SecurityBinary Data 13241300x8000000000000000273784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\DisplayNameUser Data Access_efee5 13241300x8000000000000000273783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000273782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\ErrorControlDWORD (0x00000000) 13241300x8000000000000000273781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\StartDWORD (0x00000003) 13241300x8000000000000000273780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_efee5\TypeDWORD (0x000000e0) 13241300x8000000000000000273779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x8000000000000000273778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\FailureActionsBinary Data 13241300x8000000000000000273777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\Security\SecurityBinary Data 13241300x8000000000000000273776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\DisplayNameUser Data Storage_efee5 13241300x8000000000000000273775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000273774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\ErrorControlDWORD (0x00000000) 13241300x8000000000000000273773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\StartDWORD (0x00000003) 13241300x8000000000000000273772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_efee5\TypeDWORD (0x000000e0) 13241300x8000000000000000273771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x8000000000000000273770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\FailureActionsBinary Data 13241300x8000000000000000273769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\Security\SecurityBinary Data 13241300x8000000000000000273768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\DisplayNameContact Data_efee5 13241300x8000000000000000273767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000273766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\ErrorControlDWORD (0x00000000) 13241300x8000000000000000273765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\StartDWORD (0x00000003) 13241300x8000000000000000273764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_efee5\TypeDWORD (0x000000e0) 13241300x8000000000000000273763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x8000000000000000273762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\FailureActionsBinary Data 13241300x8000000000000000273761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\Security\SecurityBinary Data 13241300x8000000000000000273760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\DisplayNameSync Host_efee5 13241300x8000000000000000273759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000273758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\ErrorControlDWORD (0x00000000) 13241300x8000000000000000273757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\StartDWORD (0x00000002) 13241300x8000000000000000273756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_efee5\TypeDWORD (0x000000e0) 13241300x8000000000000000273755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x8000000000000000273754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\FailureActionsBinary Data 13241300x8000000000000000273753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\Security\SecurityBinary Data 13241300x8000000000000000273752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\DisplayNameCDPUserSvc_efee5 13241300x8000000000000000273751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000273750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\ErrorControlDWORD (0x00000001) 13241300x8000000000000000273749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.localT1031,T1050SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\StartDWORD (0x00000002) 13241300x8000000000000000273748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-SetValue2023-04-05 13:14:05.142{EDA2768C-6FDA-642D-0A00-00000000CB02}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_efee5\TypeDWORD (0x000000e0) 10341000x8000000000000000273747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.142{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.129{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.129{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.129{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2B00-00000000CB02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.129{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-6FDD-642D-1600-00000000CB02}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856884C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-ConnectPipe2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-53cc6c2c-4857-4026-8831-e0f3fd6a96dcC:\Windows\System32\svchost.exe 17141700x8000000000000000273739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-CreatePipe2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-1000-00000000CB02}360\TSVCPIPE-53cc6c2c-4857-4026-8831-e0f3fd6a96dcC:\Windows\System32\svchost.exe 10341000x8000000000000000273738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FFD-642D-7A00-00000000CB02}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB6F5A3D4EC4E2A56E5AA1FEA3D1C72,SHA256=A0B1C259E6FFCA664FACF7A9DAA1B2995366627F6381B984E695AA3747DA54B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDD-642D-1600-00000000CB02}12882124C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.033{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741C-642D-3101-00000000CB02}4192C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.022{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:05.022{EDA2768C-6FDC-642D-0C00-00000000CB02}856888C:\Windows\system32\svchost.exe{EDA2768C-741B-642D-2E01-00000000CB02}3404C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000209949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:03.583{8E625C7F-6FD8-642D-1E00-00000000CC02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-176.us-east-2.compute.internal49911-false10.0.1.12-8089- 23542300x8000000000000000209948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-176-2023-04-05 13:14:06.338{8E625C7F-6FEB-642D-7300-00000000CC02}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73F6110BEC6DB4E0E2C44548E2F886C,SHA256=3AB1DB5C8AFAAB55836B0BFFCA917A709A65C5E930F7839D2C76B2CA7B43264A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.955{EDA2768C-6FDD-642D-1600-00000000CB02}12881588C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.955{EDA2768C-6FDD-642D-1600-00000000CB02}12881324C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.955{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.955{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.939{EDA2768C-741A-642D-2B01-00000000CB02}3880172C:\Windows\system32\csrss.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.939{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000273936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.939{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000273935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.939{EDA2768C-741D-642D-3301-00000000CB02}42764464C:\Windows\system32\sihost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.939{EDA2768C-6FD9-642D-0500-00000000CB02}420548C:\Windows\system32\csrss.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.939{EDA2768C-6FDC-642D-0C00-00000000CB02}856984C:\Windows\system32\svchost.exe{EDA2768C-741E-642D-3D01-00000000CB02}4964C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+41031|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.861{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2C00-00000000CB02}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.861{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2C00-00000000CB02}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.830{EDA2768C-741D-642D-3C01-00000000CB02}4768ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.736{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.642{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.642{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.642{EDA2768C-741D-642D-3601-00000000CB02}43524436C:\Windows\system32\taskhostw.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.642{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.642{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-741D-642D-3C01-00000000CB02}4768C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.627{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2C00-00000000CB02}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-192.attackrange.local-2023-04-05 13:14:06.627{EDA2768C-6FDC-642D-0C00-00000000CB02}856296C:\Windows\system32\svchost.exe{EDA2768C-6FEA-642D-2C00-00000000CB02}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+