23542300x800000000000000077168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:27.621{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B911D1E236DE773879A9F081C91439DD,SHA256=B4ED779C6D1BECDBF69336E61AF7D5741218E2BE0B4551F03F25C115352B3980,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:28.699{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AEF91679DB797AF4868C1002B2045D,SHA256=BF60AF17D58BDA8DCC0099F8CA1123A90B85DBB91B7278B27CBC399A4B3CC2F4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:29.793{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B17E97B0F9EA5B1AB33FD891618EC8,SHA256=8E458D553BFC53582CF507364EA088C900C7B1D1295B8793090390D4F55E0B62,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:30.887{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F2784C6B1D04EC40206C62D90AAD51,SHA256=7A4D9869F9D4E4146D24387A9EB1072F50D98537532F5311FCF42E6B39D372DE,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:28.159{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:31.980{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AFD1CCC76B80EFC50695FAAC7AB0EE,SHA256=27E67DE1A3C5E624E8BB47EEBE322E71458087A5C1166D8D27FE6894C6CB9D16,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:33.074{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1B1CD0D85CDE95D6D2AF955ED7DBA4,SHA256=A7574D8AF352C594B024B30CC002A3589FB39764B669C5D1405BB7DB9BCB2535,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:34.168{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B8A3BBC8C484D61150DA64DEE9C88F,SHA256=7DE162D97098E21E9AC11644140440B48FB74494031A4CCE3DBF0530D5E676AC,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:33.284{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:35.262{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A0AC073C2185676B4DFCBB9D0C745B,SHA256=1C8BBD08C7D049024A43411FB2C992D3F9664834CDDB8838BCF502469057A411,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.355{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C522AF03BB16B6732CA7FACF4441075,SHA256=71892EB308F7707DBE98DD5F8EBB57473DFC1DA1FCF0D952F58D88FB43908C29,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B0-62A1-6B01-000000006102}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E7B0-62A1-6B01-000000006102}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.105{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B0-62A1-6B01-000000006102}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.106{B58D6529-E7B0-62A1-6B01-000000006102}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.746{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF876B0FB16290BB313DC6FE6297FB75,SHA256=DF54124C2C3883EE4A37235C2ACA0A8F29C3AAE7360DA8907D20458A55188BB0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.449{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5DE73E7743808C8DD0C4ECBDBAC96B,SHA256=205694445BF06EDC59DCBCE63DDCB6DF303F5402B405DA0394B930602CC43285,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.340{B58D6529-E7B1-62A1-6C01-000000006102}7082876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.152{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B611680D1A8E2A4EECB3B57B9DB4C38D,SHA256=EE23D132B6AA37221F570B3E0D4F630CBE0BC5201351968E9213DC2E3E2B0625,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B1-62A1-6C01-000000006102}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E7B1-62A1-6C01-000000006102}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.137{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B1-62A1-6C01-000000006102}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:37.138{B58D6529-E7B1-62A1-6C01-000000006102}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.543{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B92371453BD39C74F7AAE880356D1D0,SHA256=AF1B7EC0042A3EEE0DC18A958DF57283B374344A26BB283CC8082B421B45484B,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.659{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60803-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
354300x800000000000000077207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:36.659{B58D6529-E27B-62A1-3100-000000006102}1860C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60803-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
10341000x800000000000000077206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B2-62A1-6D01-000000006102}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7B2-62A1-6D01-000000006102}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B2-62A1-6D01-000000006102}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:38.012{B58D6529-E7B2-62A1-6D01-000000006102}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000077219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.996{B58D6529-E7B3-62A1-6E01-000000006102}21521996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B3-62A1-6E01-000000006102}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E7B3-62A1-6E01-000000006102}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B3-62A1-6E01-000000006102}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.762{B58D6529-E7B3-62A1-6E01-000000006102}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.637{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A32CE5E56C1B5779014DEDD04710985,SHA256=FA0DAFA64715AD9AC45A3B7672326B055A5E29E84D3AFEB0568403A3DD8849E3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.934{B58D6529-E7B4-62A1-6F01-000000006102}37243844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.730{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC4E68C790C396BA8C4979CEE9B3306,SHA256=F4333FED39DA02370AEAF0C279F9CADE13EE6A7F3D11E556B9BA98F289BB8977,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B4-62A1-6F01-000000006102}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7B4-62A1-6F01-000000006102}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.668{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B4-62A1-6F01-000000006102}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:40.669{B58D6529-E7B4-62A1-6F01-000000006102}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.715{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91344D0DB542FDE063768FABA924BC,SHA256=47AEACF4AAC133086504FA93E61E9831A0A3068F07D23462C3EF9C8C2C6491F4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.387{B58D6529-E7B5-62A1-7001-000000006102}14921620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x800000000000000077238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:39.252{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60804-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x800000000000000077237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B5-62A1-7001-000000006102}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7B5-62A1-7001-000000006102}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.184{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B5-62A1-7001-000000006102}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:41.186{B58D6529-E7B5-62A1-7001-000000006102}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:42.809{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81733ACDE43BC69B6FE53D2D1B5B5AF8,SHA256=7C2AABE5514363E5AD7BB808D9CEE60DE27F1584BEBF7A5CC550639E0D5D5AB8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:42.215{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5A656B713648CFAB5272E534D2C1938,SHA256=4237EA0F92A283703EF172A90E13DFEDD3A14421CC31C1EE733D8DD63363446D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.902{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E5A2EABED7EC25EB66D84DAE13ABF7,SHA256=411FDDD96DAB250E00E40B2F5804571F24265665B7502D6FDD83F5C150B8FDF2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7B7-62A1-7101-000000006102}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7B7-62A1-7101-000000006102}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.152{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7B7-62A1-7101-000000006102}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:43.153{B58D6529-E7B7-62A1-7101-000000006102}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:44.996{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E713E52D4AA3276E307BFD58192CEB,SHA256=5E3026CDC9FA0B20FA176FEE97B065B4063C5E04A70F86E99FFAC106075EC9A7,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:45.190{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60805-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:46.090{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD848DAC99CBA13E6D404ED84633EB2A,SHA256=1FFC18F774AED69584C811DB6D1D50C9084CDCEA2765C826935704CA48465CF2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:47.621{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=A8077CC2085CEC79CBE25AF4A6410880,SHA256=23B34885E3779D626164626D2295C19165B4A08D6C210CF88500A89AFD1104D2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:47.184{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EDBD5B517B8335D5FA1AC8315C8054,SHA256=2ED3D52B531BE2CFB506F7645A735142698C8BCC8F50760ADC409FA57E89BFAB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:48.277{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74DC4F800ECBB90982656B0B177A190,SHA256=C380246D63D7353F139853FB71535A5DBE927C0FB02472C94D8AD11AC4280395,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:49.371{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5C313AA942E868F813DFD6FD36DDEB,SHA256=DAE42895EBBC40A222D3F11759F41933FF022299245BAD10517D723185988DEA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:50.465{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5255454138420F5B5EA9F7FA5A542C,SHA256=6B5D8D6F2600C1EBEB5C6414F7BC74FCA3583B86EE3359BED76DB92DF5A37AAD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:51.558{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC55115C38E131B52670E21EC9CDBF,SHA256=F2DFAF07E5D9BD220017B58970BC7290FDF63CC3922C479BBF2821A6EFFEA09B,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:50.283{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60806-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:52.543{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29BAF8427B4B530FA38353101A2D022,SHA256=7D69E16A32869D941B299A0F3685534E6908A31079C7E549AC816536F50132D3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:53.637{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE6485D77D6E88744F61D67A7DF4A2C,SHA256=96C8192078DE30592F43CAB7AEE5B910D8B1384981D31C755B877CBE423C00F9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:54.730{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917C127C249333BB9993878C3925EF59,SHA256=DD07644F1BDF7E79B26AE9BED72C9CE65F431B8F8FDBCE17033CF28307943E15,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:54.637{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-06-09_122947MD5=DDFA607144B004155B94478651013305,SHA256=2C58C6A7046A3DF4C48AB62B802ABD83628AE7F7A98CE4699EA892ABD8AA53DE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:55.824{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A86BD1F3537516A564DE3E6C368AD5,SHA256=1BFCE34EFA35CEB5665358D469C2377B40701AC277B439B20D443F7108EE5372,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:56.918{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7578C4E41A901D9ECDB3A74D1626F106,SHA256=9ECC47068F8953F0C9926A62CCD79FFC107DAA6F214ED1253988D755D8933173,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:56.252{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60807-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:57.689{B58D6529-E27B-62A1-2A00-000000006102}2888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-080141b80183777f0\channels\health\respondent-20220609120725-021MD5=B05F49A8181BD25F3D28D5D97A217946,SHA256=A974E01C88512E711C54F51B09ED6384637A1AE8E804DD0DEBEECEE074CCA559,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:57.373{B58D6529-E26D-62A1-0D00-000000006102}8921336C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2B00-000000006102}2896C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:57.058{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-06-09_122947MD5=4DAA2D32F612D8986372E269F51ADE5F,SHA256=747F2C23A06BE983A49809B0BA9806F4DD8BB738CE90ABE0633074C32B37B932,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:57.043{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=3C2441D1BAB917C8EF9868804E9001DC,SHA256=1BFE1B01FE90EBC60B5966E67D395518967B183FEF08ED737619D1D439C0B044,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:58.700{B58D6529-E27B-62A1-2A00-000000006102}2888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-080141b80183777f0\channels\health\surveyor-20220609120723-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:58.011{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3DC6572369EC5A73E1965B77AA585A,SHA256=0DA3696600FE994B090C9C507C62AFC54422FCD71CA92720F672E97F6CB5B117,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:29:59.103{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB432C6F271B485059BCB7C1E17B60E,SHA256=A7EA723B2EB67D4D4EC8BA18BA957A2FA1605AC0413A12B47A0C61C3DE7665B2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:00.202{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C1649684424F18DEB2975FB5A9106A,SHA256=D3CDE3EB651A4B49F2C5A6D917DA9680DA1E795000C953FA657E5551120B64D9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:01.296{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB7EB8618710BF190DDA07684FEC75B,SHA256=1D64E694D453FFCD1B759D8206625F6B5C3991830A6E93D4915E70D19C7B0806,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:02.390{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241D63EA7E4D437A445CEBDA83627A22,SHA256=17967F9A027EAD3C2E2718FC8AFFF5F84309769886326D5F4CB40AB1328609B1,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:02.208{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:03.483{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EDD3E40A1D56E399D6990B27B62481,SHA256=8A80D2FAFC1E9495D0916DB0E173DC21FD5B6AB1345EF153A44EFBDAA59A16FB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:04.577{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E85653B6CBD59BE1CC554A364BBED66,SHA256=2DD34610F867A19057FD56A2A8F3C506FA7A6B907F0C799D4256EDB9EB1EC204,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:05.671{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089C39F635308E0D1C12D9CFC00F0C12,SHA256=3465907AE5DAD97790EDBF7BC449AD0E70CE3963478FEFF49EDA1FCF8E4D37F9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:06.765{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE05BA9975044D57C4721FEDF25CC370,SHA256=4642217762649C89F4381363E243C08DD207D4ADB7871CEBE3905284B64E0CC1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:07.874{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583846705FF6162BFFC93F4924A0BB32,SHA256=7C6562E60F4E2721D2DF82F495003DEA96DF128EBE2FA78FABE2E65949A71B9E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:07.015{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6C9FEB110635819DA301C49D869C354,SHA256=AAFDA3F90FE4CBA08CC9FE128D2757073A039D63FDDF97B8157E5A308CCAA38E,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:07.333{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60809-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:08.968{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86A3F49B3086A30B4BC446D228409E3,SHA256=7EE7225DA76792349311A7BFC3E14AD1231E5FB2B1BE25120D08177A295F3670,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:09.749{B58D6529-E26D-62A1-1100-000000006102}392NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EDE2F09B93F063BAEA308ECDBFE28921,SHA256=96B7583798733C489D9CD8F67531131EBC3B17A29ACEE7737DBC1C0A204346AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:10.061{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F8BD9694D01A64089911B3F3E045E2,SHA256=4C649AD635C6BE4D20C6D87F63283A7039616D100253C3C38E0D1335E2B37D16,IMPHASH=00000000000000000000000000000000falsetrue
13241300x800000000000000077300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008)
13241300x800000000000000077299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00152dd0)
13241300x800000000000000077298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87bf4-0x47908db3)
13241300x800000000000000077297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87bfc-0xa954f5b3)
13241300x800000000000000077296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87c05-0x0b195db3)
13241300x800000000000000077295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008)
13241300x800000000000000077294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00152dd0)
13241300x800000000000000077293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87bf4-0x47908db3)
13241300x800000000000000077292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87bfc-0xa954f5b3)
13241300x800000000000000077291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:30:11.202{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87c05-0x0b195db3)
23542300x800000000000000077290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:11.155{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4BCB189769AACB84BE6AC466D9CB9A,SHA256=50E5830237DCEF9CF0BCDA69E0A7A53904ABE176682DD69E882593E14309E926,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:12.249{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BF33B55F23E34B991D1FBCBE3B892F,SHA256=FCB7E31D8D9583DB4DCD4EF13C68331589911F3383951C58DD173DBD8A363CF8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:13.343{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACBE289BB8AC47B3D5A986BEE632269,SHA256=B1E2438316457D9A471665C5A07F94983C0FB39C4ACB1B7FB0C3B90C216A237A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:14.436{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CE0AA77DCE1298C8D2D46294514F82,SHA256=27C0CFA440F4A448D3265F9F07213FEA02DA408393036313D849BBFAAFE74A2A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:15.530{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBF67B6A951F7F2D680CE7B7B736805,SHA256=7240C208FBA66B50844606CA00E0D67294EB344CC7FF371D12234570D7FFE258,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:13.208{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60810-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:16.624{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E811676D9BBCDED6BF59703FB529A04B,SHA256=21EAED0E4027FFF5471AB737D2E4BBCC6A1C70CC265FB9A4F303BE11A1BE43DD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:17.718{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26B064134BF9DA7A1B9FF344997F292,SHA256=16D9A1E3E8B99B5DF8DF12CEADC10A8FFF0EE657BADF5B0AA7870005D7D9D44F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:18.811{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6A9DAFAF57D4AAC54EFA749271A9FF,SHA256=ED822B04DAA0AC709122842C2216D92D67D78D83550BE14E9CB2E1C644B9CA4F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:19.905{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6762E9934085FD1123CF2734F0EDA99D,SHA256=7775196927E98D8881B9236113D9A0C3A2606284A3ADE6E8AFADEB449FC81BAC,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:19.225{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:20.999{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89061590AE591DE47102D8C22F0C546E,SHA256=E8BB30FE3EA2BA220574DA31396ED78C3D97B153F013FA39C563A54CCDD8C2F4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:22.483{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2E4874A8D89F22A87EE909EFA8C2135A,SHA256=51D23DA60BE266B23909A4839E20EACE8F918230F4858A2569297A92FFAABD91,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:22.093{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C25B961B4B61274F6F6DEA9D9F02379,SHA256=86EBFED59A3F9539731341EF43CFF4F3AE54A52016CAD53D24AE9C63D2AFF1C0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:23.186{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8406B4B0C7A58F1CC1A346F935ECB05C,SHA256=258497AF050DE30EC46049AC43D85C41804CE6026351B7852D0F70670FD7747D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:24.280{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB3A6EAC433B0D9E0D4279E7594CCD9,SHA256=C966542388ED6CCF1499E9A31E0B3E52651E866A11D86E0BE569836223141203,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:22.536{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089-
23542300x800000000000000077317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:25.374{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1E9592D4ADA0DBB581FD24AB017A54,SHA256=962D59EE120702FE99104580C6EEBBCCE0404CAC767D81436814827FC1C21B2A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:26.468{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9046D0586ECF7AEFF3C3E70A31A533C8,SHA256=6C0FCB5E43B4417916B3C29B935141136DBAC54C4DA41CA8F8D15079C05E9F4F,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:24.286{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60813-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:27.561{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25CA66628BA79C4279FB7A0C08A0605,SHA256=45214955F1D9F1F7A232B3398C5059C8101B2D774DBDF29B36FCE55B3757AABC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:28.655{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB683AEF0735EED6AEF0F0D7AC1D336,SHA256=707A6214C214B90FE06531D9F10770057A209571AAF7AFB7BC928218520248FD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:29.749{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D465AD4C46B746651835F025E86203,SHA256=92A28A33643591725430E702335A9798323BFADB1454D7ABEC46E302929F46B9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:30.842{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12CF15A610AECEDE749AD0FB6A6A439,SHA256=5E6291F2D35CFE42195379EB1C7D18338CAA2F8D2739466B2D14DCCD479490A8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:31.936{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE8E88E798FB7E3CC1E967BB3566366,SHA256=DB2B3814143FE506CD91546BB8219227BDC2D9F4D78E552F924F2B7CF109B7FF,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:30.302{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:33.030{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8441C42566E8221349CBA4C82CDB4ACE,SHA256=8937348BADD556C0BBB2E5777AF46C83A229923C2B988A2B6C249FEAA5ADEDD4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:34.124{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9E7678578DD22EF905400D16BED644,SHA256=3BDDFA10E9089FDA0A5922D0DF1082CD1C5BC778C4FC86ABE397F5604180CDAB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:35.217{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6608363669D3F2AD6BCFE2386BEC6DF4,SHA256=DB683D610EDD66506245A6F6046F7CCF55D425AF303DD8BA5681820A625BDEAB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.311{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E1BD3A6E5909FA574B7CECBFE1CB56,SHA256=979940F9AD41FB6334468F2F3221FD807697B3F4F85E9712ECC652110DACD98E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7EC-62A1-7201-000000006102}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7EC-62A1-7201-000000006102}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7EC-62A1-7201-000000006102}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.124{B58D6529-E7EC-62A1-7201-000000006102}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000077350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.098{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60815-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.405{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ED5874FADC9F4D1053F2AEE2E01321,SHA256=8D08FC48E4D150C20857ABC060F9EE2765D04089C216F208E43F184A6D31A219,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.296{B58D6529-E7ED-62A1-7301-000000006102}59803808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.265{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B9511FFFCA8B6441850BBC7823BF585B,SHA256=4EDB34CC05A8CEEFA11852599585C74FBAFDFAA25A4966DE0C1C130DD125D05C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.171{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=989CF4909ABFC5FD3B53C8996BEFF3CF,SHA256=EE020A930D70E15BCA277EDE17FB31FB606D19CB408EED045B5190F4FE80EF93,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7ED-62A1-7301-000000006102}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E7ED-62A1-7301-000000006102}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.139{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7ED-62A1-7301-000000006102}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:37.140{B58D6529-E7ED-62A1-7301-000000006102}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000077361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.662{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60816-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
354300x800000000000000077360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:36.662{B58D6529-E27B-62A1-3100-000000006102}1860C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60816-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
23542300x800000000000000077359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.499{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE23E70CAA04E13EC92C4BAC021B47A,SHA256=EEB45D2C510E0504F6E406F5A0A4D4A4BEC46465C6F63874D60ABEE13489073E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7EE-62A1-7401-000000006102}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E7EE-62A1-7401-000000006102}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.014{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7EE-62A1-7401-000000006102}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:38.015{B58D6529-E7EE-62A1-7401-000000006102}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000077371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.858{B58D6529-E7EF-62A1-7501-000000006102}32765820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7EF-62A1-7501-000000006102}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7EF-62A1-7501-000000006102}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.655{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7EF-62A1-7501-000000006102}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.656{B58D6529-E7EF-62A1-7501-000000006102}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:39.592{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A7845D0A376CF76EBD614F71569F60,SHA256=57E39547C6903B996858C0BA20A48BA47B1B2EB0430607C004736F01CD4AA03B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.874{B58D6529-E7F0-62A1-7601-000000006102}41965240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3058EDEB76030C13D9F3DF48E9056C8,SHA256=7084F895B76DF1B8CB2E3E9F8EDE6021C0418BB397057AF2D85D3EB1468B8BFD,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7F0-62A1-7601-000000006102}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7F0-62A1-7601-000000006102}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.686{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7F0-62A1-7601-000000006102}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:40.687{B58D6529-E7F0-62A1-7601-000000006102}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.780{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6D28BC36EA1E9CBDE632195C94E36D,SHA256=BBB7DB4F3E89A7B4EA3AC7B7A6D327AAC8208D61F7E48000EAC938029DE7FF8B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.592{B58D6529-E7F1-62A1-7701-000000006102}43405196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7F1-62A1-7701-000000006102}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E7F1-62A1-7701-000000006102}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.358{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7F1-62A1-7701-000000006102}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.359{B58D6529-E7F1-62A1-7701-000000006102}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:42.874{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E32B1E8F5FF95B34CFBDB6CC87EE0D9,SHA256=0958620E4A0A57C4913332F7357470D86596BA100F5B17CF6A4C11506FFA91A1,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:41.192{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.967{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F88922903C2D99F6F268E8123D7BD42,SHA256=4949515390ADE2C9F1E98DB43ECD15BC7C0EDDD302D0055A6E0FBB9532B0ED87,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E7F3-62A1-7801-000000006102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E7F3-62A1-7801-000000006102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.077{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E7F3-62A1-7801-000000006102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:43.078{B58D6529-E7F3-62A1-7801-000000006102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:44.171{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01EB50CF0980A71FBF5F0979A3658C7,SHA256=5045C32C366B5BF3E73B78118A2B9E4D1C94250CC4CCB88B31FFD3A431868CF4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:45.061{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C2938D896CADFBA530B78239AA5B4C,SHA256=A6604A893C477F1EF2BCD35BCD607CDC54D593D5A9A8DD14A4E4EEFDB16002F3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:46.155{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38F3B95EBC5A1609645623F0E58E737,SHA256=87CA90B925A6B40F22FB2BC5E646AF9EB2641BDB6FE24EDD01A483CBCE26BEDE,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:46.270{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:47.249{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1907591B52A3635918698D5D52FC4C03,SHA256=33B8BF2DB5B675E35F88D6839AF38E5E77172677A91E851B1F2B2CE5101F1ABA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:48.342{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5F7C6690523A5939CF2FDA936F7FDB,SHA256=9E678E5CB79AA4AFDFEE69CDDE7AEFF270FE4C0A58EC756FB5D2D770B863CA33,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:49.436{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14727201269FE8469C09E5BE4E45E036,SHA256=E56CCD77E9063A508D817445096038FAAC83984615DE654396FD9CBF3AF1C983,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:50.530{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E39843B854A6E2700B10F548F3A8AC3,SHA256=ECCF117B099E3DD6470CDE67DF94BF460F7E4E3F5A53E03E4AD71182BD0739EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:51.624{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C4F150D09828783A23748ACC6FB2D0,SHA256=89D5A936F82A008E63C2EC63005E238031FB8593ACF326E4431F95C12C3DDE6D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:52.717{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14951EB12C181AAD7DA6CF2D556BC0CF,SHA256=092745EBE7637E208F68D1D27FC55B1288A1A49D2D9B8341BA50078D4A1D5A84,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:52.301{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60819-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:53.811{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A92E5F12A231AB05C239ED90BDF26A,SHA256=BC4E9992D7BDEFBFB8E216BE6C6BC12F870CD8A662D1D726C2B048DEB1FB9946,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:54.905{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2080B444D082C00C9C5CCB231E478E,SHA256=2DE173F7B6C92156C45F8CDD0A4E7024FF7FC29F868CBFD49CAD762680C4E163,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:55.999{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE175111DEF8A71F5E7D4FD588520C72,SHA256=05145C52A4030A1463E8D4990C8CADB2875BF04E35E847FF76B4773649E44C34,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:57.092{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CFA9057FD310D4FFEBF23915C50DCC,SHA256=1199355709B38DD5D6CBFA699B14BFE81CE8D5FBEF331D0B014F1DE8F24E09C9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:58.186{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBA22A2F710DCD83CD11A177AD92B49,SHA256=4EF91EA2A9F248478D944FACF884583680BF517B903C4C374EDE4FB13D7AD14C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:59.280{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803B67556848D7A7A6C4579E6F4BB86C,SHA256=ED61EFE7258D407972A1AAF0E62299F1D05EB1115A5896291284BC1B05043EB8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:59.221{B58D6529-E27B-62A1-2A00-000000006102}2888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-080141b80183777f0\channels\health\respondent-20220609120725-022MD5=B05F49A8181BD25F3D28D5D97A217946,SHA256=A974E01C88512E711C54F51B09ED6384637A1AE8E804DD0DEBEECEE074CCA559,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:00.262{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB436C538B96B2D9B586112D5C3A77B0,SHA256=9843988795B84CB67EB0311EADA004388AEC3266AF65302E04B1E5A6E1DCA178,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:30:58.286{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60820-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:00.234{B58D6529-E27B-62A1-2A00-000000006102}2888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-080141b80183777f0\channels\health\surveyor-20220609120723-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:01.359{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B289C2D00C621A8C7495A8BE230E7401,SHA256=6EC70C6C093701D475D8A58601FE4E0D4416C443546524641C3A6A6E66D85652,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:02.453{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=28AD5350C2569D13CD9805B0EDCF10C2,SHA256=352F4F5DF673C238A513FCBB0C4795BEE350E0FDEA902737F17DCBA79245B201,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:02.453{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B82504E880301144573935BDFE7953,SHA256=4EC0DE2363E6AC9A380D5D438970201C63371523081E7308CBDE67F5129CCA71,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:03.547{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0271AC11F9A854C00A03102950AC3B57,SHA256=A49420572C45D2D422BA7945B0666A17A1DDE383B638700903AACC44C6E4DF61,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:04.641{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D778FFA8E2D91670087C7B8AD3FCE0E,SHA256=8B6C061F0168B59D2E615B01B11F8E505F200CC752C7A232F257D5BFFA00DD2E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:04.641{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C08F6329644B8840F0347A4F123764A6,SHA256=4E06C6FD056F14C5F51EE212B790FF3B1B1E439CD70AF2052F49C95EB4131A89,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:04.500{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:05.734{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167C8658652A3FA2307CE08E06410A4,SHA256=E0556858E3DA6469825A314E8A89FA5B19C7984F01A90CE0FD48F49484135657,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:05.203{B58D6529-E26D-62A1-0D00-000000006102}8921336C:\Windows\system32\svchost.exe{B58D6529-E26D-62A1-1200-000000006102}760C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:05.203{B58D6529-E26D-62A1-0D00-000000006102}8921336C:\Windows\system32\svchost.exe{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:06.828{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B4D1C877D6022831D30CBE1E7536C9,SHA256=F6D790B1C7B2ABC1CABBD0B6256DCDB4D78D254CCAD80ECFC7525F2CCA1C80E2,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:04.271{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60821-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:07.922{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C782E8C6AB06053FC76E004590698155,SHA256=9C7C16724FA97B1F361F2BEED6904DCE400C80FF94D57C935D1901CB30DCE296,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:07.516{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C0B41A93AA81DC94C41CD77A9BB8A7E5,SHA256=8C4D831643F14F0EB67B167C05A4C70DAB9248457424443DC4E3D50148490879,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:09.750{B58D6529-E26D-62A1-1100-000000006102}392NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E055D4B2C7EFC65BA537144F5F112D11,SHA256=5E7B184210D23E5C66AF66A9585F9BE4FD3F802D1DACC2ED1B8A24A914D8021C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:09.016{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4094C78F683EE2E48542C00E043647AA,SHA256=EF592FA4E3905266FB25C0F71F863A2CDC172C6A51D6AF9E20EFD94B4399ACC1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:10.109{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F5390AA886E9561C932719378285C,SHA256=F46E816EDF6C227A0D24CA30388C48548A6381DAE4A7C2BA3B760CA673D7DF86,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:10.131{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60822-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:11.203{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B8E14FB134342FEBC3121D32ECD130,SHA256=B9749B322A8EC1FAEBA985E9C85A5C993A060135E5066F8C2AC0AD77851B1BC7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:12.297{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECA7A420B82403F187F4B0BE9A8EAE5,SHA256=A40F7DC49659FCC7AEE5D1E9037DA5D5A0BDDE8013158337A7B508B338E6B412,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:13.391{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830CDAC811FE87D9B04F3073471B55D7,SHA256=3FD73AF31B5999166D11012F74CF6519D12D7C6C947BDAB7D4A0E5A89ACB565E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:14.484{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4953554667487F7BBF60329AF558E711,SHA256=6760071EAB43963F7021C42ECCAF8605A623C991D155CE30C29B9A410A35BC08,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:15.578{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F6253A0B58D6E78D2C0257495031E4,SHA256=1871F7E38B4F62C6D03D221DA77FC9AB12DA7AE37FFCADB2DAECF2318C23CED0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:16.781{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B2C253B9BEDF0BCC5050958A0A1DCD,SHA256=13C12BB763754CB24779A51441FEFE6BB366EFEE9459ECA95CDC6185B3652A4F,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:15.256{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60823-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:17.875{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722734C7DEEB02252254B1302B873541,SHA256=0AE31421E01D9385B3DB571DF71CFA9C28FB8BF8D96C903B5F27B9D692B8D959,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:18.969{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD811BF248523B7D9CF0E44B6D7C356,SHA256=3EB45C6B4E059E4545CAA7B6669199FADCC8BA67E765B1608E38FC359B2EDE14,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:20.062{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1544F1EE1C803FF9445E1DA16E8BC4,SHA256=4D9D216BE45FD4C7AD0A8EFED39979B960CC097CAD6D9AF2A66A7ADFB014ABED,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:20.271{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x800000000000000077454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:21.687{B58D6529-E26D-62A1-0D00-000000006102}8921336C:\Windows\system32\svchost.exe{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:21.687{B58D6529-E26D-62A1-0D00-000000006102}8921336C:\Windows\system32\svchost.exe{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:21.156{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5896610948B7B70D55D8E502EAC421,SHA256=08791B0F6D29239C0EEAB83A1E75C69B9E62EA660CE850D18863A1BA485C9265,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:22.500{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2E4874A8D89F22A87EE909EFA8C2135A,SHA256=51D23DA60BE266B23909A4839E20EACE8F918230F4858A2569297A92FFAABD91,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:22.250{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2F055432AFD5F840768B9AAAE327A5,SHA256=A8E05725C1FFAF2771D33934130DBED136F8DBB7BF5BC0AF54F7315AF9BDA625,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:22.553{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089-
23542300x800000000000000077458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:23.344{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3A883EEA194D7FA2C753D961276596,SHA256=E29F00E1084A9832714AFE7F6B7ACFCE33037CEB2D2D0356876F91290B1A67BD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:24.437{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94C527BF013B4C5A093A0F08CD0301C,SHA256=75B6A93F5D74C21E163451A14AA6E4C216A52816D555B1EAA5B2ED366A3B07E8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:25.531{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61655CF121813C2BEC66C2ED049349A4,SHA256=0C39E76F5E0925C83B344E88DE2A45876B405D118F768C591751DB110B9F7E0A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:26.625{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB292F366C0116CD96D4171CFC6DAFBD,SHA256=F423142A9B2A4B225F6B49CB9FCECAEE8520F809449FD1A163EE9EAC610E2B5B,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:26.224{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60826-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x800000000000000077491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E486-62A1-DB00-000000006102}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E486-62A1-DB00-000000006102}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E486-62A1-DB00-000000006102}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:27.531{B58D6529-E26D-62A1-0D00-000000006102}892912C:\Windows\system32\svchost.exe{B58D6529-E485-62A1-D900-000000006102}4932C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:28.250{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EBB04FAE6828D9B9F3D8BCA925F6FD,SHA256=CF8695E0AFAF2F84F371945DD6A3F2F38FECD8EFA1F9CECD09A8F05FB2FFC90E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:29.062{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAFD446B98AED07188ADF33FB1DCE06,SHA256=E6707D45D91DF8B190CCA1BC34793C5BF09DF4E48FC3EF7488A1FBD7FE14640A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:30.156{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FDAE2696B0DCD70383DC47235B99E9,SHA256=3018D17DC04ED8B544E004EDD08FA711AFA59C133C64A51D7C8973B1C71DD6E2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:31.250{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5B20DD052CA0E98A6C2136575DFACA,SHA256=E72AD5E348E26AAFD35A035637AD05C1F2D8D8096B3C9890485260CBF0B37594,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:32.344{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36ED59BC1A837F8DEDA75D74835EB04,SHA256=368D5615B1A4BA0D4FE26528CEFDC427503D45B5C3A53A86774643E9D4A88C75,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:33.437{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3ACCFEFAF07802E883514282D47EFA,SHA256=6ACCE41BEED70C3789D93D0BA4B1A604DB63FB13E344BE48A08A2311BFAB5B3C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:34.531{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8308E0242C42A8471BA46819C59F23E,SHA256=9EA2FEE5989D37988B61C3AFD814BF9DB998DFEA922A0B29135F21A15C69BB41,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:32.132{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:35.625{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48785A16602ADDF3245BCA6091FFCA7,SHA256=7EE86A3D2D35B9BCEABE729678BCF8FDCFB9F2AB6E06AAE886BFE38F35F479CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.719{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31442160B026994D56AE9CDFFE264C,SHA256=027B9E5D7C71435A9294D60877400A53B804CDCE59FCE75D21E26C7CDC5B0B6A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E828-62A1-7901-000000006102}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E828-62A1-7901-000000006102}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.125{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E828-62A1-7901-000000006102}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.126{B58D6529-E828-62A1-7901-000000006102}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.812{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0568C284E6EFFED003B16443DF1EFD,SHA256=C10AB9E573D7B10191EABF2B17BBF9182F41FEC189383C0BD4E3EF0A0992C1EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.765{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=611EA4797C18ACBF503ED1DC4BB2B25C,SHA256=283175ADB4B0EE3675B29628EFE2CAE26AD459F9BB96CB2CAB973CFE1C4552BA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.312{B58D6529-E829-62A1-7A01-000000006102}60124924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.250{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB7F96D6D8ED22C3E62488FABB5EBD84,SHA256=0C1E213674ADCBFADFC8C3F2112C077D64ACEE50189631DAEA006F1AFDC06363,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E829-62A1-7A01-000000006102}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E829-62A1-7A01-000000006102}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.140{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E829-62A1-7A01-000000006102}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.141{B58D6529-E829-62A1-7A01-000000006102}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.906{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51A5CC6E23119994C9B51ACC51C7416,SHA256=8B53B20D5EE9BEAECFE56B164B4DEEDB091692D7A4370EF8103E932B9BCB88E9,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.662{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60828-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
354300x800000000000000077531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:36.662{B58D6529-E27B-62A1-3100-000000006102}1860C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60828-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
10341000x800000000000000077530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E82A-62A1-7B01-000000006102}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E82A-62A1-7B01-000000006102}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.031{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E82A-62A1-7B01-000000006102}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:38.032{B58D6529-E82A-62A1-7B01-000000006102}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.844{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=AC08AA007908C245161D7F3A8C95414E,SHA256=55DD5C84C70FB5FC31AFE1C1EF692F13BF42EAF326FCA6C8744E31DA4EA90CE4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.828{B58D6529-E82B-62A1-7C01-000000006102}59405988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E82B-62A1-7C01-000000006102}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E82B-62A1-7C01-000000006102}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.656{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E82B-62A1-7C01-000000006102}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:39.657{B58D6529-E82B-62A1-7C01-000000006102}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000077534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:37.193{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x800000000000000077554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.906{B58D6529-E82C-62A1-7D01-000000006102}52325332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E82C-62A1-7D01-000000006102}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E82C-62A1-7D01-000000006102}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.687{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E82C-62A1-7D01-000000006102}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.693{B58D6529-E82C-62A1-7D01-000000006102}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:40.000{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BE12D62EC37BA14CCF418BC469EDA4,SHA256=39AFEE42D17E8DCAA9D0DA33AB4D036A7CA23CA96F1EE95E2F16C3916FB48997,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.390{B58D6529-E82D-62A1-7E01-000000006102}43324604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E82D-62A1-7E01-000000006102}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E82D-62A1-7E01-000000006102}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.187{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E82D-62A1-7E01-000000006102}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.188{B58D6529-E82D-62A1-7E01-000000006102}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:41.094{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A89AABE3DC7CD1093DA8F1F7222A190,SHA256=31C91253196D3659A2F1D433EF3F09C830EB336A709DDA2834520B9BDE40A47E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:42.297{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF9D0F3198F35A05BA38258873BBE6,SHA256=83CB1625D36D8CEB32157524EFB85F979A6C2F612D27F2ADB40892C0A2CFD35D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:42.187{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D541AB2201E7F9FD464171603CB4792,SHA256=2AF535B99DAB34AD6003D14F6AD1E2095BA6F23E32ABB7947BC5A16B5B0667E2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.281{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9D4BCD708CF40609CE9BD2A3B8134C,SHA256=F441DF4EA5F1E98BF2F9018C9E9B83E30E3B0D04BAA6CFA7C71AAB99A58CC173,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E82F-62A1-7F01-000000006102}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E82F-62A1-7F01-000000006102}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.078{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E82F-62A1-7F01-000000006102}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:43.079{B58D6529-E82F-62A1-7F01-000000006102}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:44.375{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8890902744B8BF34B37DC4CAECA08B3,SHA256=A5F11E7220CE5934F6A71B1E71C851E5048DC091E13F4AE8DF892D3D28059C3E,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:42.208{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:45.469{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFEF88158B2B91E8B107DFE8E885DA3,SHA256=D67C8BD9AB3BF7CF3F8017744811427536C132C572FD411D03CE64D52C59B411,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:46.859{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-06-09_123139MD5=50D31E480538160ABFEE6AA497B1A59D,SHA256=CC1FF4C2D439823DB95B6EC6A59C53C724E1BA26571A3F90C56E47B318FBA25F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:46.562{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621E060D366DD6910936C051E3BC0A19,SHA256=F38A0B229C764991EB9E2A96CE489F38CE129B48B7FE494CE832CD31DAC77B72,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:47.656{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C338039726C887CFFDDCA649527167,SHA256=74DA72A904F0EDD9C9B8AA9D1A6C468C6C4DE6DEC18BFD0288DD98283CE54571,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:48.750{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45F03393C7F1899DC469D5FC157C5DA,SHA256=D2ED8D7E465473723677E6A729783CDFE4FE4FEE3CF09725991F474CB51AFD0B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:49.843{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE67B73DD1F3D87BD11BBC96EA73FBC1,SHA256=830C4EB34C1D393798C8164BA4DEFEC49C68359919ABA52F2EC17F468C761ACA,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:48.255{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60831-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:50.937{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A12867D68F1325B7EBEFF91C679294,SHA256=7C8064E2D9632BBA0B90C23D31B27783E07FE3F1E2E5BD3DC3F55B2CF4496BF8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:52.031{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54BE403E4D5375E5754707A09639835,SHA256=A9C7839DDA0ACE60D504CE15200439C2A8E91CBE27813D103AA0C9205F4090B1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:53.875{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-06-09_123139MD5=CC0F6211A8F8546A5F14336ACE466D8C,SHA256=A22F8D5873170FA98C20295A2AC567B8186A60A4B1FB0D06773FF8EF878ED731,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:53.125{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F51043BD104232CB76C656A10D3A8F,SHA256=AFCE670EBBD1B01753E5534CCF25E1C9FA9A34E8ED76DF98DB3AA05DB1C97741,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:54.218{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08D37F5EB67F79A4C10A32668DC00F9,SHA256=5541E360D4A4CCCD306824B87B41BFD1E60DD74BA50013E40A7F561D07813050,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:54.162{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:55.312{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB64F84D9C9C65049133B19871A3A521,SHA256=C11A1A8FF7FAB24B9DDC99D188FBB746E45FBEC3BEE3DFC0A17A4F2E435A5687,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:56.406{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10FB069B44EC1BAC1284DECFE12B6D2,SHA256=EBA5BA17CEE219983865E17AC2DB478A3D7416D75D14F4E34C0F5589D220BF6F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:57.500{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E963B912CC26C6950FF21973B40179C,SHA256=C11BC81B0CF0A0A5F810821122C2C66A589984CF1190F18A19DE54C1922148FC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:57.328{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-06-09_123139MD5=034A7B45AD0ECEBC58CC41C4C0D29245,SHA256=0F8BD81A69D7592DAB82CC2A3CB556D6E120CC66C25E5E6DAA4593AD2C1D2FC1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:57.312{B58D6529-E6B0-62A1-2E01-000000006102}5472ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=A070319518495963E3BE0AC58CFA50EE,SHA256=725E6C43A5F0D516BD77B286DC532596CCFC4B5132533856EDAEC4D8F24D091F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:58.593{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE269A5AC86D1104A6FBE373A5A7F2E7,SHA256=B4D56A3AA5BFEA3C892F26BD35ABBF198842FCFD7445738137B44C347CD6C4BF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:59.687{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B8EBAD8AA38E6BA190D5E73D0ECF33,SHA256=AB73451D9D47F4FB37B30009BF9E5E4F897E38DE1B89DDDE387821FB6242C1B1,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:31:59.209{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60833-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:00.775{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A02CE6D67F1E7162F79D75F87A3F85,SHA256=DFC8FCF9A37AA29330A2E7297C88A75D7F0A79517E8BA30BE644A00E14656C14,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:00.754{B58D6529-E27B-62A1-2A00-000000006102}2888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-080141b80183777f0\channels\health\respondent-20220609120725-023MD5=B05F49A8181BD25F3D28D5D97A217946,SHA256=A974E01C88512E711C54F51B09ED6384637A1AE8E804DD0DEBEECEE074CCA559,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:01.866{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BE78F95BF26ECF2BE93F60E59F32A1,SHA256=3ADD7489D418AEA4EBFBECF202142EA19EDE5F30DDF15F40FAFBC7117CD66B16,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:01.759{B58D6529-E27B-62A1-2A00-000000006102}2888NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-080141b80183777f0\channels\health\surveyor-20220609120723-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:02.855{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA70E474825334C0C76D6EB23A24461D,SHA256=049868844725D0BD83D2FB75810E05DEB2BE6269659B3A3A4854E3E40CC78A88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:03.948{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078505B5FD6F128CFA6025F820D61AC7,SHA256=7878710E8A13861976609BFD986313A9EA5C16DD0129B82A035888D677A5EB40,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:04.245{B58D6529-E26D-62A1-0D00-000000006102}8921336C:\Windows\system32\svchost.exe{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:05.042{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725E3599B7E79A523E16DF231A3CA382,SHA256=CEE9DCB72B8F7FCC9D85C52CA970F738BF691A6C21F43530DFAE8C09BB813CC0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:06.136{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E09F8BF695A7AE77B6581B9675024E4,SHA256=FAFCAE3400565804910B4E97980CAADA086FE4E0D7C322B03B2AC67842E950F0,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:04.329{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:07.230{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FD85ACF25B6C7E202AD43329A0D263,SHA256=6518792186C5CFB5715816570C2B3C13DC164F80823B3BEA8DB3540B21D688F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:07.011{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB1ECEA54D265DB5A88C124C089CC028,SHA256=776F2E56AD80EE53A93E40F31D0B278820FC7D9FFF4882136ED35F41585F7F2E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:08.323{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCBE29BE3DD850FD22C033000B58939,SHA256=D70FA8654CF7F28309CF364C5E0D0A307210C7135DDF5DFA0CC4B86AEDBB74A2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:09.761{B58D6529-E26D-62A1-1100-000000006102}392NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7E6F43A294C3F62177377763EE8E1567,SHA256=71296488E9096E714EB4695BE497F9B0A79C2779F2D9DC178100BED240D21930,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:09.417{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17079F6C2175709E520110009084C40,SHA256=6DF6F91CBB49D7D87EF3604404848326498516984DD94C9D8332614E41CC2214,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:10.511{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CE08E1E45883E4EB9B43716F856E7D,SHA256=CC0525408F41C6ACB122F0D0638378E036AE90F95CAB946909F7F4CFCFF20F61,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:11.604{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1F1E9118B3145655DAED246FCE5D2A,SHA256=D22350B6C8260156F813F32F7971C18C91D10376F6267E9FB0C0DA8B112DF0A9,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:10.094{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:12.698{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3B4622C329B06640DD661C0F2BA175,SHA256=BE7EB9A12B0A06CA8880E865DA6388FA5E87789A9A5DEFB54FD9FF2439574A40,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:13.792{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057778A446B88A54F1AA55A995F118DD,SHA256=D38AE7549582F8BD6DEB1B108D4BB60C9F776EB329F0642A3F688157A600FC46,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:14.886{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A6CD32BF3A245BA3771E6EE2229CB2,SHA256=EF9BB5DE8C846D0373841A8A1B49C17B220599458CA645B32BBA4E4A0FB25A36,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:15.979{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA482DB1525CA793CB142A8BB8582ABA,SHA256=8AC31DE73AECD689EA2DC36B7839D990DB065FDE5D83B24AA17AD6CE03AFD701,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:15.157{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60836-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:17.073{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE150A51E1A7B0DBD859C9F33721988,SHA256=8449CC7F38A2EFDD4B984A8AA4F510E5E34499BAAD86EEA8DED338BEA05A6446,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:18.167{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F9D533E0F308FAED0AC71008B730FF,SHA256=207CE310A943892C2F8DCC40B799286CDF5BEA77B2020BAFA63FF0460169E785,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:19.261{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEF3F7C7D04A8DB3F569359B919E90E,SHA256=4175B41F71D08F22417BFB4151548DA423B0585EC08494357A40C143B739E07C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:20.370{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F98B7AC289000DA44DF4B7A834B781,SHA256=13EF6D99A3338FA45B90EF37303A0C89858A447074F8122BC5E0F15842C06AD6,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:20.172{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60837-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:21.464{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E540F4EFCF8ADD510AB2D421E6B305,SHA256=036707D444172E9064799A5883ACE63422882E1F7377DA7392E3C1E8D595DDB2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:22.558{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980D2DF4B99BAD734DCB9B860AC72AB6,SHA256=D4C7244F79E47540931A1B2773408C191F2BF61DFA97E35E00C0C34CE164E6C4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:22.526{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2E4874A8D89F22A87EE909EFA8C2135A,SHA256=51D23DA60BE266B23909A4839E20EACE8F918230F4858A2569297A92FFAABD91,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:22.578{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60838-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089-
23542300x800000000000000077630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:23.651{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A3E8FE0DD2BDA958C4951B07091CA1,SHA256=746AACA69E8FBEACF35C3B388E6D3B6FA83587C7B4461D831C6214F83D6B20E9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:24.745{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30145861FFA0AE3DF9727825F5E8C3B1,SHA256=CDEF63E5D989880D311E32EB64E15E850B582D822DC48118CE07ECD480C8FE2E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:25.830{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53BC92827D3310238DE50595E616F06,SHA256=48B725555B107357B0690DEA795C7EC7E2D08CEABDC750EA0D82E82A1765B46C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:26.924{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD5542C56B74512AD963DDC844EAED7,SHA256=3050EDCE8192A4372676A600B15409B22BD5A7A634452506819777BBB33AC229,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:25.786{B58D6529-E27D-62A1-4600-000000006102}3372C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60839-false169.254.169.254-80http
354300x800000000000000077637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:26.163{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:28.017{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E3F15032C19A10FC479885364D2B0B,SHA256=68AC6886F5488894FDA5E4C56E4DFB385555F658B6F31C331A5617EA0A1BE9E1,IMPHASH=00000000000000000000000000000000falsetrue
13241300x800000000000000077639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:29.783{B58D6529-E26D-62A1-1200-000000006102}760C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d87bfc-0xfc08bf77)
23542300x800000000000000077638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:29.111{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B748386A6CBFF4684EA2000B455308,SHA256=AAB6FCEC97C4B3AC339903E7F3B58CA0DB1D9EFC57166BB74397195A96C4EAA8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:30.330{B58D6529-E26B-62A1-0B00-000000006102}628832C:\Windows\system32\lsass.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:30.330{B58D6529-E26B-62A1-0B00-000000006102}628832C:\Windows\system32\lsass.exe{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:30.205{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B2676514D8475AB9A68CAE7C6CC8E9,SHA256=7B1AEFBC21DD46AC500AE4891ABA0D02C671EDD3430C59B9B1A2B135EC9F2BBE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.830{B58D6529-E85F-62A1-8101-000000006102}49805212C:\Windows\system32\conhost.exe{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.767{B58D6529-E26D-62A1-1400-000000006102}10681200C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.767{B58D6529-E481-62A1-C800-000000006102}21963416C:\Windows\system32\csrss.exe{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.752{B58D6529-E481-62A1-C800-000000006102}21961048C:\Windows\system32\csrss.exe{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.752{B58D6529-E484-62A1-D700-000000006102}47245792C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+20f478|C:\Windows\System32\windows.storage.dll+16655a|C:\Windows\System32\windows.storage.dll+1662b2|C:\Windows\System32\SHELL32.dll+4c8cd|C:\Windows\System32\SHELL32.dll+4b466|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e093e|C:\Windows\System32\SHELL32.dll+155030|C:\Windows\System32\SHELL32.dll+17ae8c|C:\Windows\System32\SHELL32.dll+198278|C:\Windows\System32\SHELL32.dll+17b026|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07
10341000x800000000000000077648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.752{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.752{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.752{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.752{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.751{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{B58D6529-E483-62A1-53A6-0C0000000000}0xca6532HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK
23542300x800000000000000077643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:31.299{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32191730E926F5A0D681D2D8A7049AF,SHA256=BBA19D8B713C706FD30E9869FBB3952DB360F1C6229B932C27978DF4B09F67CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.861{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88B9C2C3713CB4228926593F002063B1,SHA256=1D90BEF28A2E64BD3A58D3E02AF1352CDBCA51C4B46B37D2B12D7F952A908B10,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.392{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA0FE7079A2A5BE53A9166F0EEC5EE5,SHA256=2471DC53A79514F495976B1C581D26F43FBA1C18C418482B1FE8209CC5D418BF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.143{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.143{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.143{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.127{B58D6529-E483-62A1-D200-000000006102}43084404C:\Windows\system32\taskhostw.exe{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.111{B58D6529-E483-62A1-D200-000000006102}43084404C:\Windows\system32\taskhostw.exe{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244892C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244892C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244892C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244892C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.080{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.049{B58D6529-E26D-62A1-1000-000000006102}304876C:\Windows\system32\svchost.exe{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.049{B58D6529-E26D-62A1-1000-000000006102}3041360C:\Windows\system32\svchost.exe{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:33.502{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F741BB4CD3286FB35676E4D577C90C4B,SHA256=E70EA12906A97756B868BFA3C6EF83DD1B5132369AE34E882964DEBBEBA8C8CE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:34.595{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8BF91662FC744A4DD9DE289ED8A117,SHA256=8B6BD868C65E39A22366D3072713F1DAC11143299D53897529CD831E02FBE18A,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000077672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:32.163{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60841-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:35.689{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82693B4F6ED208C8C66B0889198CB12D,SHA256=9DD15AD5AE36A63CBBFAECFC20EBA6D805EA955170AB3AE394B84A9A67129053,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.783{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B838F0AC8AA631E1F355AD05763C019,SHA256=60F3C6BB93220626527D83908279D91FCD73CBA1B3869875856DBEE5CFAA85F4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E864-62A1-8201-000000006102}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E864-62A1-8201-000000006102}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.142{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E864-62A1-8201-000000006102}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.143{B58D6529-E864-62A1-8201-000000006102}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000077702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E865-62A1-8401-000000006102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E865-62A1-8401-000000006102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.908{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E865-62A1-8401-000000006102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.910{B58D6529-E865-62A1-8401-000000006102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.877{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C76D89D9F11AE6572ADB00AB9D3E90B,SHA256=EA00B0992ED6F92EFBF694DB3699F7C051BAA2A8D555D53C4B77A05A0C7C4F89,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.361{B58D6529-E865-62A1-8301-000000006102}55365320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.299{B58D6529-E27B-62A1-3000-000000006102}2956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C9DE45FFB9BE31B9E96D5CF0324C01E0,SHA256=BA98FF7472CDDB729226885C51CEF430D68547733CD9ECF358BC89EA5F5FC0FF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E865-62A1-8301-000000006102}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E26D-62A1-0C00-000000006102}8364124C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E865-62A1-8301-000000006102}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.142{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E865-62A1-8301-000000006102}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:37.143{B58D6529-E865-62A1-8301-000000006102}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.986{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9186047DE961437EB2849F3EFC6FD5C8,SHA256=AB506EFEBD31A4F486884CCA9517BD9108B8D655761E9000DFC2D36CE1C62B59,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.986{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7355DC29BF049CDB8145D61A2489227C,SHA256=9B99DDD797FB72F08E406DCE12642DEFE61243507227736F5F814DC864D656D3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.705{B58D6529-E26D-62A1-1000-000000006102}304876C:\Windows\system32\svchost.exe{B58D6529-E866-62A1-8501-000000006102}1388C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.705{B58D6529-E26D-62A1-1000-000000006102}3041360C:\Windows\system32\svchost.exe{B58D6529-E866-62A1-8501-000000006102}1388C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.689{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E866-62A1-8501-000000006102}1388C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.674{B58D6529-E481-62A1-C800-000000006102}21961048C:\Windows\system32\csrss.exe{B58D6529-E866-62A1-8501-000000006102}1388C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.674{B58D6529-E26A-62A1-0500-000000006102}416296C:\Windows\system32\csrss.exe{B58D6529-E866-62A1-8501-000000006102}1388C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.674{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E866-62A1-8501-000000006102}1388C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x800000000000000077704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.679{B58D6529-E26B-62A1-0B00-000000006102}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60842-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
354300x800000000000000077703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:36.679{B58D6529-E27B-62A1-3100-000000006102}1860C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local60842-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-921.attackrange.local389ldap
10341000x800000000000000077732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.861{B58D6529-E867-62A1-8601-000000006102}14361152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.799{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E867-62A1-8601-000000006102}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E867-62A1-8601-000000006102}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.658{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E867-62A1-8601-000000006102}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.659{B58D6529-E867-62A1-8601-000000006102}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000077716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.502{B58D6529-E484-62A1-D700-000000006102}47245792C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f6d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9
10341000x800000000000000077715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.502{B58D6529-E484-62A1-D700-000000006102}47245792C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f6d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9
10341000x800000000000000077714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.002{B58D6529-E484-62A1-D700-000000006102}47245792C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f6d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a
10341000x800000000000000077713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:39.002{B58D6529-E484-62A1-D700-000000006102}47245792C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f6d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced
10341000x800000000000000077743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.908{B58D6529-E868-62A1-8701-000000006102}57881016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E868-62A1-8701-000000006102}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E868-62A1-8701-000000006102}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.705{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E868-62A1-8701-000000006102}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.706{B58D6529-E868-62A1-8701-000000006102}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000077734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:38.132{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60843-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.080{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892114BB5EC652429A169520463B99BD,SHA256=AFF2A734D7040B5908CD127A00D6A6256650E1DCB57619C460D55EBCAF59C1D2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.549{B58D6529-E869-62A1-8901-000000006102}9324580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.439{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536D2FFA0C4D38D82BECA51007A90A3E,SHA256=9F9784649B560AFE3B36A069B2129A33F592B77FEFBA4D66562BF84023F75F7D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E869-62A1-8901-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E26A-62A1-0500-000000006102}416528C:\Windows\system32\csrss.exe{B58D6529-E869-62A1-8901-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E869-62A1-8901-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.377{B58D6529-E869-62A1-8901-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
12241200x800000000000000077768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:41.080{B58D6529-E26D-62A1-1400-000000006102}1068C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters
12241200x800000000000000077767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:41.080{B58D6529-E26D-62A1-1400-000000006102}1068C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters
12241200x800000000000000077766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:41.080{B58D6529-E26D-62A1-1400-000000006102}1068C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters
13241300x800000000000000077765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=0F8BD81A69D7592DAB82CC2A3CB556D6E120CC66C25E5E6DAA4593AD2C1D2FC1
16341600x800000000000000077764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local2022-06-09 12:32:41.080C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=0F8BD81A69D7592DAB82CC2A3CB556D6E120CC66C25E5E6DAA4593AD2C1D2FC1
13241300x800000000000000077763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml
13241300x800000000000000077762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data
13241300x800000000000000077761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data
13241300x800000000000000077760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data
13241300x800000000000000077759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e)
13241300x800000000000000077758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007)
12241200x800000000000000077757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-DeleteValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules
12241200x800000000000000077756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-DeleteValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup
12241200x800000000000000077755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-DeleteValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation
12241200x800000000000000077754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-DeleteValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm
12241200x800000000000000077753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-DeleteValue2022-06-09 12:32:41.080{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options
10341000x800000000000000077752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.080{B58D6529-E26B-62A1-0B00-000000006102}628756C:\Windows\system32\lsass.exe{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:41.002{B58D6529-E85F-62A1-8101-000000006102}49805212C:\Windows\system32\conhost.exe{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.986{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.986{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.986{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.986{B58D6529-E481-62A1-C800-000000006102}21963416C:\Windows\system32\csrss.exe{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.986{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.986{B58D6529-E85F-62A1-8001-000000006102}45085216C:\Windows\system32\cmd.exe{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:40.972{B58D6529-E868-62A1-8801-000000006102}708C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{B58D6529-E483-62A1-53A6-0C0000000000}0xca6532HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"
13241300x800000000000000077781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:42.814{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x800000000000000077780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:42.814{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data
23542300x800000000000000077779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:42.502{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABCAFB99F7CC5DF15F0CFCC3314731F,SHA256=4A91E3AFC85A256C158D823BCF5CDB11CA52E5E99FC4017D2FB9E581F99298A0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.595{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF43DEAAC365C3CCC92CFB0342CE9E6,SHA256=40608F0A855BB03FC684C6DA9FB158D84587AC885620CE5D11220C779C2B093B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000077789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E27C-62A1-3800-000000006102}12562908C:\Windows\system32\conhost.exe{B58D6529-E86B-62A1-8A01-000000006102}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E26D-62A1-0C00-000000006102}836948C:\Windows\system32\svchost.exe{B58D6529-E27B-62A1-2C00-000000006102}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E26A-62A1-0500-000000006102}416432C:\Windows\system32\csrss.exe{B58D6529-E86B-62A1-8A01-000000006102}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000077783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.095{B58D6529-E27B-62A1-3000-000000006102}29563760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B58D6529-E86B-62A1-8A01-000000006102}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x800000000000000077782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.096{B58D6529-E86B-62A1-8A01-000000006102}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B58D6529-E26B-62A1-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{B58D6529-E27B-62A1-3000-000000006102}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000077801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.689{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879647A655513A66049982A95AC81668,SHA256=4FF5CE39BFA294B62438CE952396A92327AD483F17B4A05A5145C9134E1E418C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.236{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A486F34724EA1F22B073B84EE864E9DD,SHA256=64867003C02856031463527BBAE3C1B07B4E8143BB452E908C37B89B827C5958,IMPHASH=00000000000000000000000000000000falsetrue
13241300x800000000000000077799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:44.127{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x800000000000000077798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:44.127{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data
10341000x800000000000000077797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.127{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.127{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.127{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.111{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.111{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.111{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:44.111{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E6B0-62A1-2E01-000000006102}5472C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x800000000000000077812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.783{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34CE118409DC36B6423C7A5A287325B,SHA256=1D90AC656936C75B2ED432B487F31B4F9EF2DA794B517D9379A8E805587AB6E9,IMPHASH=00000000000000000000000000000000falsetrue
13241300x800000000000000077811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:45.736{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x800000000000000077810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:45.736{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data
10341000x800000000000000077809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.736{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.736{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.736{B58D6529-E484-62A1-D700-000000006102}47244252C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8001-000000006102}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.720{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.720{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.720{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000077803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:45.720{B58D6529-E484-62A1-D700-000000006102}47244860C:\Windows\Explorer.EXE{B58D6529-E85F-62A1-8101-000000006102}4980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x800000000000000077802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:43.197{B58D6529-E286-62A1-7400-000000006102}4000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-921.attackrange.local60844-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x800000000000000077813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:46.767{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A2733FCE5AC586BD7841607A122A14,SHA256=778AA9DBB3F5F834C0FEC30EE3215B83A8B01CBCA3F6905975E49D23E8244425,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:47.861{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F684D8B817656962646A8E2179F302C,SHA256=3BB9117C704347A41110357788DB73F3AE2BF4638DA6E3EB695116A7FE6FF227,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000077818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:48.955{B58D6529-E28E-62A1-7E00-000000006102}3696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEC6F15B10E5A3ACC39A7F7EFB9522A,SHA256=750F51B5F49705C668697C2888549D2EDDBF51AF312BAFAE017AA59DE22EB9AA,IMPHASH=00000000000000000000000000000000falsetrue
13241300x800000000000000077817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:48.314{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x800000000000000077816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:48.314{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data
13241300x800000000000000077815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:48.314{B58D6529-E484-62A1-D700-000000006102}4724C:\Windows\Explorer.EXEHKU\S-1-5-21-2167596188-154398838-2475435708-500_Classes\Local Settings\MuiCache\139\52C64B7E\LanguageListBinary Data
13241300x800000000000000077860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000)
12241200x800000000000000077859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History
13241300x800000000000000077858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000)
13241300x800000000000000077857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000)
13241300x800000000000000077856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d87bfd)
13241300x800000000000000077855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x0866e794)
13241300x800000000000000077854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d87bfd)
13241300x800000000000000077853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x0853d50c)
12241200x800000000000000077852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}
12241200x800000000000000077851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List
12241200x800000000000000077850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine
13241300x800000000000000077849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000}
13241300x800000000000000077848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007)
13241300x800000000000000077847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.533{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001)
12241200x800000000000000077846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances
13241300x800000000000000077845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT
12241200x800000000000000077844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0
12241200x800000000000000077843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine
12241200x800000000000000077842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine
13241300x800000000000000077841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$
12241200x800000000000000077840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0
12241200x800000000000000077839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine
12241200x800000000000000077838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine
10341000x800000000000000077837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-2022-06-09 12:32:50.517{B58D6529-E26B-62A1-0B00-000000006102}628832C:\Windows\system32\lsass.exe{B58D6529-E268-62A1-0100-000000006102}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e
13241300x800000000000000077836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-SetValue2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000)
12241200x800000000000000077835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-921.attackrange.local-CreateKey2022-06-09 12:32:50.517{B58D6529-E26D-62A1-1000-000000006102}304C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History